I am going to build one web service in .Net. This web service will be used in winform application, web application and mobile apps.
I want to secure this web service using token.
When user login to the web service, system will generate unique token on successful login and store in database. Application should pass this token for each methods in web service. My database validates this token and send response to end user.
Now problem with this architecture is, each successful login changes token and if another login with same credentials stops previous successful login.I want to allow multiple logins with same credentials.
Please suggest me good solution for this problem.
Thanks
The first thing that pop-up in my mind is to check your database for existing token and then if there is already generated one you should return it. But I don't know how good is that. ASP.NET Identity is working over OAuth2 protocol, which is kind of similar.
Login with user credentials, it doesn't matter from what kind of device is creating an access token, which got expiration time. If you try to log in while this token is still valid you always get that token.
My suggestion is to use the provided Identity and just extend it. If you are doing code first you can extend IdentityUser, add some extra properties and create all the tables you need for your application. Here is some useful links:
OAuth2 official page
Token Based Authentication using ASP.NET Web API 2, Owin, and Identity
I hope I helped