I’ve a website where user is logged in multiple browsers like; Firefox and Chrome. I want to implement a functionality when user changed the password in Firefox, then in Chrome, it too should be logged out. How I can achieve in JavaScript?
Can we implement this with local storgae or session?
2
Answers
Local and session storage are not shared between different browsers, so you need more than just the storage.
There are a couple ways you can implement this feature, it depends on how your application is set up.
The easiest way is to tell the client when a password was changed, for example via a web socket connection. If a password was changed, you can then unset all the JWT tokens on the client.
You can also keep a reference to the tokens on the server, and validate if the token is still valid (for example with a unique ID in the payload of the JWT). If that is not the case, you return an error to the client, and unset the JWT token based on that error.
A pure "client-side" JavaScript solution is not possible in this case.
I implemented this some days ago (with an Angular client and PHP server).
Since I can’t use a server-sent message that invalidates the localStorage, I adopted a refresh token with a short-living access token. The refresh token is used to get a new access token every N minutes, it is saved in the server DB and deleted when user changes password.
In this way all session will auto-close in N minutes.
You can implement a more simple solution using polling: the server has to provide a "ping" API that checks the token; the client calls this API and manages a "KO" response.