每次使用 JWT 登录时允许一个并发用户 [英] Allow one concurrent user per login with JWT

问题描述

我们正在使用 Laravel/PHP 开发一个应用程序，我们希望使用按用户付费的定价模型.为此，我们必须确保一个帐户只能由一个并发用户使用.我们使用 JWT 进行身份验证，它是无状态的，所以我不能使用会话.

We are developing an application with Laravel/PHP and we want to use an pay-per-user pricing model. For that we have to ensure that an account can only used by only one concurrent user. We use JWT for authentication and it is stateless so I can't use sessions.

为了确保一个并发登录，我可以附上浏览器代理或 IP，但两者都不是唯一的，它们可能会在例如办公室.我也可以发送 MAC 地址，但这不是最简单的方法.

To ensure one concurrent login I can enclose the Browser-agent or IP, but both aren't unique and it is possible that they occur multiple times in e.g. an office. Also I can send the MAC address, but that is not the easiest way.

是否有其他解决方案可以确保每个用户使用 JWT 进行一次并发登录?

Are there other solutions to ensure one concurrent login per user with JWT?

推荐答案

我认为简单的答案是否定的，你不能通过 JWT 做到这一点并保持服务器无状态.但是，如果您将设置与访问令牌和刷新令牌一起使用，您可能会实现如下效果:

I think that the simple answer to this is NO, you cannot do that by JWT and keep the server stateless. However, if you use the setup with an Access Token and a Refresh Token, you can probably achieve something like this:

1. 用户登录，您将刷新令牌存储在数据库中
2. 访问令牌过期.在从刷新令牌发出新的访问令牌之前，请先检查帐户是否仍然正常，还要将刷新令牌与数据库中的令牌进行比较.确保它们匹配.
3. 第二个用户使用同一个帐户登录.将问题刷新令牌存储在数据库中并覆盖旧的刷新令牌.(每个帐户一个存储的刷新令牌.)
4. 第一个用户访问令牌再次过期.这次在 DB 中有另一个 Refresh Token，并且没有为该用户颁发新的 Access Token.

1. A user logs in, you store the Refresh Token in a DB
2. The Access Token expires. Before you issue a new Access Token from your Refresh Token, make the standard check that the account is still OK, but also compare the Refresh Token to the one in your DB. Make sure they match.
3. A second user logs in with the same account. Store the issues Refresh Token in the DB and over write the old Refresh Token. (One stored Refresh Token per account.)
4. First users Access Token expires again. This time there is another Refresh Token in the DB, and no new Access Token is issued for that user.

这将产生一个登录流程，其中最新登录的用户可以使用您的服务.如果实际上是同一用户更改设备或重新启动浏览器会话，这将很方便.与例如 Spotify 的追逐流"处理并发收听的方式进行比较.

This will result in a login flow where the latest user to login can use your service. This is handy if it actually is the same user that change device or restart browser session. Compare to for example Spotify's "chasing the stream" way of handling concurrent listening.

这篇关于每次使用 JWT 登录时允许一个并发用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！