5

I am making an application in which I am using JWT for maintaining sessions. When any new user registers then I provide a JWT token to user and store it in my database as well as in users browser. When user log out, then i delete that token from browser and my database.

But I want that if user is logged in from multiple devices then it it will log out from one device, it does not logout from other devices as well. How do I achieve this?

Devendra Verma
  • 975
  • 2
  • 10
  • 24
  • Possible duplicate of [Invalidating JSON Web Tokens](http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens) – DrakaSAN Aug 22 '16 at 11:45

2 Answers2

3

First, JWT are not supposed to be able to "log out", but to automatically expire, that is why you are supposed to set short expiresIn times.
It is because with JWT, sessions are handled by the client, it is not the server's responsibility to log out users, it is the user who just throw away the JWT.

In your case, I suppose you check if the JWT exist in your DB before allowing the user, and as such, you just need to search and delete the others JWT associated to that account.
But if you want to make things clean, embrace JWT logic: just set short life time, and wait for them to expire.

DrakaSAN
  • 7,673
  • 7
  • 52
  • 94
  • so should I store tokens in my db or not? – Devendra Verma Aug 22 '16 at 11:46
  • Preferably, you should not, but if for whatever reason you prefer to do store them, I provided you a way to "log out" the other devices. – DrakaSAN Aug 22 '16 at 11:48
  • With JWT, session are stored inside the JWT. JWT aren't a good fit if you need to change session's data often, they are more appropriate for REST API. – DrakaSAN Aug 22 '16 at 11:52
  • ok, I got it, you are saying that, i should make different tokens for different login devices and when user log out then i should delete token for that specific device. And if he decides to log out from all device then all tokens must be deleted – Devendra Verma Aug 22 '16 at 11:56
  • actually I was making the same token for all devices, so when user log out from one device he is automatically got logged out from other devices as well. – Devendra Verma Aug 22 '16 at 11:58
1

Just use an array of tokens in database. Each device will have it's own token in the array of tokens (each token was added to db when user first logged in from a new device) and when the user logs out from that device, only the associated token from the tokens array gets deleted. Here is an example of User schema:

var userSchema = new mongoose.Schema(
  {
    name: {
      type: String,
      require: true,
      trim: true
    },
.
.
.
    tokens: [
      {
        token: {
          type: String,
          required: true
        }
      }
    ],
  {
    timestamps: true
  }
);
ttfreeman
  • 5,076
  • 4
  • 26
  • 33
  • "only the associated token from the tokens array gets deleted", but how to associate token to certain device? – RoyalGoose Mar 23 '22 at 14:08
  • @RoyalGoose when a user logs in from a browser you usually save the token to their browser (this way they don't have to login again until th expiry of token). When they log out , you delete that token from both the device/browse as well as the database. So the association is the token itself. – ttfreeman Mar 26 '22 at 18:05