Azure AD - 多个选项卡或浏览器 - session 管理

Question

I'm trying to determine how to handle session management with multiple tabs and browsers. I want my react application to:

• Only allow one active token, so that if you logged into a new tab or browser, the previous tab's session would end (or at least future requests on it would be invalid). Currently I can log in any number of times in new tabs or different browsers and get a new token every time, the previous ones still work too.

• If you duplicate tab, the same session / local storage info is there, so the token is the same, that's permissible.

• If you have two tabs via duplication, and you sign out of one, the other should stop working because the token should no longer be valid

I'm using the react-adal package and mainly followed This tutorial for session mgmnt but these are the missing requirements I'm trying to fill in. I can't find anything about these configurations in the AAD documentation. All I've found are timeout options, nothing about simultaneous tabs and different browsers.

Answer 1

There isn't a boilerplate solution I'm aware of. However, if you are able to maintain in-process session state, or out-of-process (using Redis, SQL or storage account etc) then you could generate a single use token for each dynamic (state changing) content request.

You will need to validate this token for each and every request and it must be associated with the user. If the user doesn't present a token, or there is a token mismatch, redirect them to the logout URL. Your logic could overwrite the token on a new login thus rendering the old session invalid. This is similar to anti-CSRF tokens.

The tutorial you linked explains how you can log the user out.