With some platforms, like LinkedIn, you can see a list of all sessions where you are logged in, and you can even log them out on a distance.
How would you implement something like that? I'm not talking about specific code, but more about general flow.
I am using ASP.NET myself, but I think a general approach would be more useful for others.
Right now I'm thinking about something like this:
- User logs in, validate email/password combination
- Generate GUID, save to database together with UserId and Browser information.
- Put Cookie in a serverside-read-only cookie.
- When user wants to sign out from a distance, we remove the GUID in the database.
One of the security issues here would be that the GUID can get intercepted, and an attacker could use this to login.
So how to do this properly?
Aucun commentaire:
Enregistrer un commentaire