The State Changers' meeting centered around multiple user log-in prevention on platforms created with Xano. The main concern was how to avoid users logging in through the same account simultaneously.
The technical remedy discussed was leveraging the "extras" field available when creating an authorization token. This field can include a unique identifier, such as session key that corresponds to a login instance. By enforcing that only one token works at a time and adding this unique identifier within the token, password sharing can be monitored and regulated. The process involves adding an identifier to the user's profile every time they log in. When the system gets an auth token, it checks if the identifier in the token matches the one in the user's profile. If it doesn’t, access is denied, meaning only the latest logged-in user can be in the system. The meeting also highlighted potential user experience risks, as these measures might inadvertently create a negative experience for users who are not intentionally sharing passwords. Changes in IP address due to switching between different connections (e.g., mobile data and Wi-Fi) could trigger false positives. Towards the end of the meeting, the concept of "Cross-checking" was discussed. It involves saving the session key in two places: the authorization token and the database. This key is then used for matching purposes during subsequent authenticated requests to confirm the user's session. The meeting served as a tutorial for using Xano's features to improve system security and manage user sessions effectively to prevent multiple logins with the same account.
(Source: Office Hours 10/3/2023 )
