使用JWT每次登录允许一个并发用户 [英] allow one concurrent user per login with JWT

问题描述

我们使用Laravel/PHP开发了一个应用程序，我们希望使用按用户付费的定价模型.为此，我们必须确保一个帐户只能由一个并发用户使用.我们使用JWT进行身份验证，它是无状态的，所以我不能使用会话.

We developing an application with Laravel/PHP and we want to use an pay-per-user pricing model. For that we have to ensure that an account can only used by only one concurrent user. We use JWT for authentication and it is stateless so i cant use sessions.

为确保一次并发登录，我可以将browseragent或IP封装起来，但两者都不是唯一的，它们有可能在例如Windows Server 2003中多次出现.办公室.我也可以发送MAC地址，但这不是最简单的方法.

To ensure one concurrent login i can enclose the browseragent or IP, but both aren't unique and it is possible that they occur multiple times in e.g. an office. Also i can send the MAC address, but that is not the easiest way.

还有其他解决方案可确保每个用户使用JWT进行一次并发登录吗?

Are there other solutions to ensure one concurrent login per user with JWT?

推荐答案

我认为对此的简单答案是否"，您不能通过JWT做到这一点并使服务器保持无状态.但是，如果您将设置与访问令牌和刷新令牌一起使用，则可能可以实现以下目的:

I think that the simple answer to this is NO, you cannot do that by JWT and keep the server stateless. However, if you use the setup with an Access Token and a Refresh Token, you can probably achieve something like this:

1. 用户登录，将刷新令牌存储在数据库中
2. 访问令牌到期.在从刷新令牌"发行新的访问令牌之前，请先进行标准检查，以确保该帐户仍然正常，但还要将刷新令牌"与数据库中的令牌进行比较.确保它们匹配.
3. 第二个用户使用相同的帐户登录 .将问题刷新令牌"存储在数据库中，并覆盖旧的刷新令牌". (每个帐户存储一个刷新令牌.)
4. 第一个用户访问令牌再次到期.这次，数据库中还有另一个刷新令牌，并且没有为该用户发出新的访问令牌.

1. A user logs in, you store the Refresh Token in a DB
2. The Access Token expires. Before you issue a new Access Token from your Refresh Token, make the standard check that the account is still OK, but also compare the Refresh Token to the one in your DB. Make sure they match.
3. A second user logs in with the same account. Store the issues Refresh Token in the DB and over write the old Refresh Token. (One stored Refresh Token per account.)
4. First users Access Token expires again. This time there is another Refresh Token in the DB, and no new Access Token is issued for that user.

这将导致登录流程，最新的登录用户可以使用您的服务.如果实际上是更改设备或重新启动浏览器会话的同一用户，这将很方便.与之相比，例如Spotify的并发流"处理并发监听的方式.

This will result in a login flow where the latest user to login can use your service. This is handy if it actually is the same user that change device or restart browser session. Compare to for example Spotify's "chasing the stream" way of handling concurrent listening.

这篇关于使用JWT每次登录允许一个并发用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！