How to handle login in web api

Question

Hi I'm currently learning how to build an API using .net. I'm trying to implement a login but I have some questions. I'm using Identity packafe together with EF. I saw some people recommended using jwt tokens. The problem is that I want to implement a remember me function to keep the session open until the user decides to do close it, but I also want to be able allow the user to logout from all the open sessions. Is this possible in Identity core or do I need to implement this myself?

I thought about storing the jwt tokens issued together with the user Id to be able to blacklist some. Another option is to implement a sessionId cookie but then using Identity wouldn't make sense

Answer 1

You could implement the authentication system by using JWT tokens, but you also have to keep in mind that JWTs are basically signed JSON, so you'll need some way to blacklist them (for logging out from one or more sessions).

JWTs are made for storing some data on the user side that can be trusted by the server (hence why they're signed), so storing them entirely would make it no different from a random session id, therefore I recommend you to assign each session an ID (incremented with each new session), and use that ID to blacklist the revoked JWTs.

Answer 2

You are asking multiple open ended questions here.

1. You can generally use any package for generating tokens. This is done for identifying HTTP request origin, ie who is asking a specific resource.

2. As for

remember me function to keep the session open until the user decides to close it

This is a client side functionality. That is doable with any token that is generated. Depending on your implementation, you have multiple options

• Keep the token within the sessionStorage or localStorage and use it every time when you do a request.
• Generate a cookie to store the token, so that it is attached with every HTTP request.

On log out you can clear storage or cookie so that subsequent requests will be anonymous.