I'm developing an app, that has an own logging system. I'm using servlet in Tomcat for server side. When a user registers to my app, I create an access token and a refresh token, and send both to user. While using the app, the user provides access token, and if:
- is expired, the server request the refresh token (and then if valid, server issues another access token;
- is invalid, the server response is invalid_access, and the user is logged-out.
I use httpsession to "store" the session of user in server-side and here storing user-information like access token, and refresh token for validating the requests. Now, in my DB I have a table for user, and a table for tokens (for each row it has a refresh token, access token, expired in, and the user reference).
When a user logs in, server side create the access and refresh token, and create a httpsession and store them in the http session.
So if the user logs in using two different devices, the user will have two httpsession server side, and this is what I want (multiple-session works well).
But, if I change the password in a user device, I would like all the others session to be invalidated and the token in DB invalidated too.
But, in my solution, the server doesn't provide so, because if a user changed his password, the only httpsession that would be invalidated is the one associated with the cookie of his own device, and also if I change the tokens in DB, the other request with other devices will check the tokens only in their own session (that would seem to be valid).
Now the question is, how may I invalidate other httpsession associated with the user? Should I store them in the DB and so while changin password invalidate them all?
