This is how my setup works:
- Client loads app, and before anything dynamic loads, client connects to Websocket
- Client sends login, device token, and session token through Websocket (of course if they were logged in before) from localStorage
- Golang Websocket server checks if database has matching login, device token, session token, client's browser/version, etc (I get a few other pieces of data to match a device with the user's HTTP request for extra security)
- If there's a match, Golang generates a new session token, updates the database match with it, and sends it back to the client
- Client gets session token and updates it in their localStorage to use the next time they load the site
Now, don't get me wrong. Everything is working great... but there's one problem:
If a user logs in, then reloads the page a bunch of times as fast as they can, sometimes the websocket and server don't have enough time to get the user's next session token back to them. This of course causes their tokens to expire and be removed from the database and notifies the user that their credentials have either been expired or stolen (which really doesn't look good from a business standpoint).
I have some thoughts on solutions, but none seem promising in scalability and for the long run.
All thoughts and solutions on the matter are appreciated!