Click here to Skip to main content
15,354,956 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
I have a c# webapi having angular web and android, ios apps.I am going to use simple token based authentication.Token is issued at login time and used for future requests.

The problem is that how can i devalidate/logout a token of a specific for different devices like web(this also includes request from different browsers) and mobile.

The customer can login from web and mobile at same time and also on web customer can login using multiple browsers or multiple account windows in browser or incognito window. I know this work can be done at client side but how can i also do it server side.

How a server side knows that request for a specific user has came from where.So that it can remove that token from database to logout the user.

What I have tried:

Tried jwt , saml but could not find solution of problemc
Posted
Updated 6-Mar-22 2:53am

That depends entirely on the WebApi. You'll have to consult the documentation of the API in question to find out how to do it and if it's even supported.
   
Comments
Member 9129971 24-Mar-17 2:46am
   
I think you have not understand my question, may be i have not explained well.Actullay I am developing this api and i know there is no way currently to do this so how can i do this, can you show any code sample how to do this.
Dave Kreskowiak 24-Mar-17 10:59am
   
OK, then it's entirely up to you how you handle it. You could just put a LogOut method in your API to handle removing the token from your database or just let the token expire and remove it if the current date/time is greater than the expiration date/time. How you do this is entirely up to you.
Member 9129971 24-Mar-17 12:16pm
   
then how will i differentiate a user logged in on multiple browsers or incognito mode , there will be 3,4 tokens of that user at a same time , how will i know that which token to remove?(I am not asking to logout the token which is passed, i want to implement the same functionality which webforms server side sessions had i.e they know from which browser the request is comming , they use something like session cookie).Also i don't want to do this whole work from scratch since i have very limited time. so is there any builtin mechanism in .net web api , like owin or auth or formsauthentication.
Dave Kreskowiak 24-Mar-17 12:42pm
   
The client code has to post every request with it's token or some ID for it in the database. I would have thought that would be obvious.

There is no built-in method to do this.
Hi There !
you already done the half of it
you can Store data in JWT such as device unique identifier or any other data that helps you identify the user and get it at every request for the clint side
there a payload section at jwt allow you to store custom data
payload Ex:
{
  "UserID": "BLh4ug==",
  "Username": "Jhon",
  "SessionId": "BLh9to618fq6",
  "TokenType": "AccessToken",
  "nbf": 1646571391,
  "exp": 1646657791,
  "iat": 1646571391,
  "iss": "Asaryasoft",
  "aud": "Owners"
} 
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900