Skip to content

multiple tokens per user #32

Open
Open
@dennisoderwald

Description

@dennisoderwald

Hi,

we want to allow multiple tokens per user. It always updates the existing entry. Its possible?

Activity

changed the title [-]Multiple using?[/-] [+]multiple tokens per user[/+] on Jun 27, 2014
dennisoderwald

dennisoderwald commented on Jun 29, 2014

@dennisoderwald
Author

Multiple Tokens seperate via Session Id Handling - every Request with a valid token update 'updated_at' field in users table. Maybe?

tappleby

tappleby commented on Jul 1, 2014

@tappleby
Owner

I just saw your PR #33, I wont be merging this one since the main advantage with auth tokens is they are not tied to a specific session ID.

The issue with multiple tokens per user is all existing tokens are being purged when a new one is created, the original reason for doing this was lack of expiration on the tokens. Once #23 is implemented purging the tokens wont be a requirement.

dennisoderwald

dennisoderwald commented on Jul 1, 2014

@dennisoderwald
Author

@tappleby That's not correct. In my PR (#33), I delete all tokens with the same session_id, not all entries per user. A expire can implemented like 'expired_at' and check with a cronjob for handling the ghosts in the database.

But with your actually release it's not possible to store multiple tokens per user and anyone cannot create a multiple token required app.

I think my solution with handling session id's - is a compromise.

Did you look at my code?

tappleby

tappleby commented on Jul 1, 2014

@tappleby
Owner

I did look over your code, it also failed the Travis CI build (probably a missing dependency).

My point with "deleting all tokens per user" was referring to the current release.

I am hesitant to add the session package as a dependency, unless absolutely required. The sessions depend on cookies + the state of the server, Ideally the auth tokens are portable + stateless. With PR #33 there is no way to delete all auth tokens, it depends on having a matching session id. I think something like the remember_token functionality with laravel auth which gets invalidated on logout might be better suited; purge all tokens on logout (destroy) instead of on create.

The expired_at + artisan task via cron is something I have been looking at. I have also been looking into JSON Web tokens (JWT), One advantage I see with these is all the information is stored in the token which means you don't even need the DB table or cron job. The main downside is you don't have a record of tokens issued on the server.

bastiendonjon

bastiendonjon commented on Jul 4, 2014

@bastiendonjon

I think it is a good idea. Otherwise what if a user connect to two different location of an api. And must not remove that last session?

sanketsahu

sanketsahu commented on Jul 16, 2014

@sanketsahu

Multiple session is a much needed feature. Is it on your list?

bastiendonjon

bastiendonjon commented on Jul 16, 2014

@bastiendonjon
schilakamarri

schilakamarri commented on Aug 27, 2014

@schilakamarri

Is there an update on this?

jdhiro

jdhiro commented on Sep 8, 2014

@jdhiro

This would really be helpful in my project. I'm expecting a single user to sign in on multiple devices, and it's not ideal if they get signed out of other devices when they do that. Thanks!

sanketsahu

sanketsahu commented on Sep 8, 2014

@sanketsahu

It may be unrelated but I am switching to Node.js with Sails framework for APIs because of obvious reasons.

jdhiro

jdhiro commented on Sep 8, 2014

@jdhiro

@sanketsahusoft seems silly to switch an entire language/framework/server because one module doesn't do exactly what you want out of the box. If you're going to do all that work, you could just add the feature and submit a PR ;)

sanketsahu

sanketsahu commented on Sep 8, 2014

@sanketsahu

@jdhiro I love PHP and Laravel and moreover I really like this laravel-auth-token package and I have also used it in one of my projects. I am not switching to another language and framework for the reason of this particular issue. It's a complete different discussion and so I started off with "It may be unrelated..."

Just wanted to let the people know about other possibilities which may be helpful. :-)

sanketsahu

sanketsahu commented on Sep 8, 2014

@sanketsahu

I forked this project to provide multiple sign-in
https://github.com/sahusoftcom/laravel-auth-token

I actually just commented out the line which was clearing all the tokens of the same user.

Known bug: It does not clear the sessions if there is no logout performed leaving many entries in the database.

jdhiro

jdhiro commented on Sep 9, 2014

@jdhiro

@sanketsahusoft 👍

dennisoderwald

dennisoderwald commented on Oct 12, 2014

@dennisoderwald
Author

Update?

esmaeilzadeh

esmaeilzadeh commented on May 27, 2015

@esmaeilzadeh

this is not a backend only feature. client side should provide an identifier for each device that wants to login, so when you logout from one of these devices, the access token of this device will be erased and when you re login to each device the access token related to that device will be updated.

malhal

malhal commented on Aug 7, 2015

@malhal

I'd really like to see this feature too. If the same user can't be logged in simultaneously on all their devices its pretty useless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @malhal@tappleby@schilakamarri@dennisoderwald@sanketsahu

        Issue actions

          multiple tokens per user · Issue #32 · tappleby/laravel-auth-token