Token Authentication and Logout Functions
In very simple Authentication Token, the process of logging in, but providing credentials and obtaining a token. With RESTful APIs, a token is included in the header for any API calls to imply that the user is logged in.
My question is, what would the exit procedure look like?
- Server side token removal? What if the user is about to log out of the Internet but wants to log into the mobile application?
- Removing a token from the client side? Should the server not enforce this?
- How is the server supposed to disable the token?
How is the logout mechanism implemented?
source to share
I think the logout action will just invalidate the token on the server side (delete it in your database, set the flag to expire to false, ...). If you want to support multiple types of REST clients, you must specify which device you want to receive the security token for. In this case, you can make them invalid separately.
To provide the device type, you can output the title user-agent
or provide your own title.
Perhaps this link can help you develop token management: http://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/ .
You talked about web mode. For this use case (which is a bit specific since the browser holds the token for you implicitly), I assume you are using cookies. Therefore, yes, for this specific use case, the corresponding cookie must also be revoked.
Hope this helps. Thierry
source to share