7

On websites like Facebook and Twitter, you've got a function to log off on all devices. How does it work?

Does it work with IP addresses or something? What happens when you login on a device and use that function?

P.S.: Facebook and Twitter are just examples in this question. It was just easier to explain what I mean.

Improve this question
2
  • 1
    For the specifics of how it works for Facebook and Twitter, you'd have to ask them. Commented Oct 4, 2016 at 11:22
  • @DavidArno: Facebook an twitter were just examples to explain it better what I mean. PS I've updated my question Commented Oct 4, 2016 at 15:39

1 Answer 1

Reset to default
16

Note: I'm not claiming this is how Facebook or Twitter does it, I'm merely providing a general-purpose way of accomplishing 'Logout on all devices'-functionality.

Generally speaking, authentication works by sending a token to your device, that you subsequently use when making calls that requires authentication.

Now assuming this is a valid token, the server will accept the request and perform whatever action is associated with that request. And if it's not, it'll throw an error back in the face of the app/website.

Logout on all devices works by taking advantage of this authentication functionality. Simply put, it invalidates all authentication tokens that were issues before Now, (possibly sending a logout request to connected devices first).

This means that when previously-authenticated clients try to use their authentication tokens to perform an action, the server will simply go "Nope, that token has been invalidated! Log in again please".

Improve this answer
5
  • Sorry but I havn't exlpain that Facebook and Twitter are just some examples. I haven't say that I was asking for a gereral solution. Thanks for answer. Commented Oct 4, 2016 at 18:03
  • I've one more question for you. 1. Has every user a unique token that could used for multiple devices or 2. is that one unique token for each device and a user got multiple unique tokens Commented Oct 10, 2016 at 5:51
  • 1
    Usually every device has a unique token. Otherwise you wouldn't be able to identify devices, and it would make it a lot more insecure to use the same token for all devices. If the token was leaked without your knowledge, someone else could be impersonating you, because you'd only have 1 unique token. Commented Oct 10, 2016 at 6:57
  • What I've expected. But how do you know that the device that will authenticate is always the same with a unique code. I mean what if the token of device A is stolen and the token will be used for authenticate device B? Commented Oct 10, 2016 at 7:10
  • 1
    Well, you don't. And that's when the user would use the 'Invalidate all tokens'-functionality. Commented Oct 10, 2016 at 7:14

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.