Hello! I’m trying to implement the following login flow for a web game: the player is able to join as a guest account if they never played before, but can authenticate and login with a non-guest account by using an e-mail and password, and then that session can persist for a certain amount of time or until the player logs out or starts a session on another device. Ideally, the player shouldn’t be asked to input their credentials all the time, so restoring their session (if it wasn’t expired) seemed the most logical step to take.
Then, the problems and a few questions:
- After digging a bit, I found out that you can restore sessions from a string, which worked fine until I encountered an extremely weird bug where two distinct sessions were accessed from another, completely unrelated testing machine, which was catastrophical - imagine random strangers getting access to your account. How could this happen if the tokens are only being saved locally?
- Restoring sessions do not invalidate the previous ones, so players can play against themselves if they open a second tab. Is it possible to invalidate the previous session upon authentication so that won’t happen?
- What is the correct pattern to use to obtain the desired flow that I’ve described before? Should I use sessions and manipulate the tokens or should I use another method? What method?