You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just saw your PR #33, I wont be merging this one since the main advantage with auth tokens is they are not tied to a specific session ID.
The issue with multiple tokens per user is all existing tokens are being purged when a new one is created, the original reason for doing this was lack of expiration on the tokens. Once #23 is implemented purging the tokens wont be a requirement.
@tappleby That's not correct. In my PR (#33), I delete all tokens with the same session_id, not all entries per user. A expire can implemented like 'expired_at' and check with a cronjob for handling the ghosts in the database.
But with your actually release it's not possible to store multiple tokens per user and anyone cannot create a multiple token required app.
I think my solution with handling session id's - is a compromise.
I did look over your code, it also failed the Travis CI build (probably a missing dependency).
My point with "deleting all tokens per user" was referring to the current release.
I am hesitant to add the session package as a dependency, unless absolutely required. The sessions depend on cookies + the state of the server, Ideally the auth tokens are portable + stateless. With PR #33 there is no way to delete all auth tokens, it depends on having a matching session id. I think something like the remember_token functionality with laravel auth which gets invalidated on logout might be better suited; purge all tokens on logout (destroy) instead of on create.
The expired_at + artisan task via cron is something I have been looking at. I have also been looking into JSON Web tokens (JWT), One advantage I see with these is all the information is stored in the token which means you don't even need the DB table or cron job. The main downside is you don't have a record of tokens issued on the server.
This would really be helpful in my project. I'm expecting a single user to sign in on multiple devices, and it's not ideal if they get signed out of other devices when they do that. Thanks!
@sanketsahusoft seems silly to switch an entire language/framework/server because one module doesn't do exactly what you want out of the box. If you're going to do all that work, you could just add the feature and submit a PR ;)
@jdhiro I love PHP and Laravel and moreover I really like this laravel-auth-token package and I have also used it in one of my projects. I am not switching to another language and framework for the reason of this particular issue. It's a complete different discussion and so I started off with "It may be unrelated..."
Just wanted to let the people know about other possibilities which may be helpful. :-)
this is not a backend only feature. client side should provide an identifier for each device that wants to login, so when you logout from one of these devices, the access token of this device will be erased and when you re login to each device the access token related to that device will be updated.
Activity
[-]Multiple using?[/-][+]multiple tokens per user[/+]dennisoderwald commentedon Jun 29, 2014
Multiple Tokens seperate via Session Id Handling - every Request with a valid token update 'updated_at' field in users table. Maybe?
tappleby commentedon Jul 1, 2014
I just saw your PR #33, I wont be merging this one since the main advantage with auth tokens is they are not tied to a specific session ID.
The issue with multiple tokens per user is all existing tokens are being purged when a new one is created, the original reason for doing this was lack of expiration on the tokens. Once #23 is implemented purging the tokens wont be a requirement.
dennisoderwald commentedon Jul 1, 2014
@tappleby That's not correct. In my PR (#33), I delete all tokens with the same session_id, not all entries per user. A expire can implemented like 'expired_at' and check with a cronjob for handling the ghosts in the database.
But with your actually release it's not possible to store multiple tokens per user and anyone cannot create a multiple token required app.
I think my solution with handling session id's - is a compromise.
Did you look at my code?
tappleby commentedon Jul 1, 2014
I did look over your code, it also failed the Travis CI build (probably a missing dependency).
My point with "deleting all tokens per user" was referring to the current release.
I am hesitant to add the session package as a dependency, unless absolutely required. The sessions depend on cookies + the state of the server, Ideally the auth tokens are portable + stateless. With PR #33 there is no way to delete all auth tokens, it depends on having a matching session id. I think something like the remember_token functionality with laravel auth which gets invalidated on logout might be better suited; purge all tokens on logout (destroy) instead of on create.
The
expired_at
+ artisan task via cron is something I have been looking at. I have also been looking into JSON Web tokens (JWT), One advantage I see with these is all the information is stored in the token which means you don't even need the DB table or cron job. The main downside is you don't have a record of tokens issued on the server.bastiendonjon commentedon Jul 4, 2014
I think it is a good idea. Otherwise what if a user connect to two different location of an api. And must not remove that last session?
sanketsahu commentedon Jul 16, 2014
Multiple session is a much needed feature. Is it on your list?
bastiendonjon commentedon Jul 16, 2014
Finally, for this i use Oauth2 https://github.com/lucadegasperi/oauth2-server-laravel
schilakamarri commentedon Aug 27, 2014
Is there an update on this?
jdhiro commentedon Sep 8, 2014
This would really be helpful in my project. I'm expecting a single user to sign in on multiple devices, and it's not ideal if they get signed out of other devices when they do that. Thanks!
sanketsahu commentedon Sep 8, 2014
It may be unrelated but I am switching to Node.js with Sails framework for APIs because of obvious reasons.
jdhiro commentedon Sep 8, 2014
@sanketsahusoft seems silly to switch an entire language/framework/server because one module doesn't do exactly what you want out of the box. If you're going to do all that work, you could just add the feature and submit a PR ;)
sanketsahu commentedon Sep 8, 2014
@jdhiro I love PHP and Laravel and moreover I really like this
laravel-auth-token
package and I have also used it in one of my projects. I am not switching to another language and framework for the reason of this particular issue. It's a complete different discussion and so I started off with "It may be unrelated..."Just wanted to let the people know about other possibilities which may be helpful. :-)
sanketsahu commentedon Sep 8, 2014
I forked this project to provide multiple sign-in
https://github.com/sahusoftcom/laravel-auth-token
I actually just commented out the line which was clearing all the tokens of the same user.
Known bug: It does not clear the sessions if there is no logout performed leaving many entries in the database.
jdhiro commentedon Sep 9, 2014
@sanketsahusoft 👍
dennisoderwald commentedon Oct 12, 2014
Update?
esmaeilzadeh commentedon May 27, 2015
this is not a backend only feature. client side should provide an identifier for each device that wants to login, so when you logout from one of these devices, the access token of this device will be erased and when you re login to each device the access token related to that device will be updated.
malhal commentedon Aug 7, 2015
I'd really like to see this feature too. If the same user can't be logged in simultaneously on all their devices its pretty useless.