On websites like Facebook and Twitter, you’ve got a function to log off on all devices. How does it work?
Does it work with IP addresses or something? What happens when you login on a device and use that function?
P.S.: Facebook and Twitter are just examples in this question. It was just easier to explain what I mean.
Note: I’m not claiming this is how Facebook or Twitter does it, I’m merely providing a general-purpose way of accomplishing ‘Logout on all devices’-functionality.
Generally speaking, authentication works by sending a token to your device, that you subsequently use when making calls that requires authentication.
Now assuming this is a valid token, the server will accept the request and perform whatever action is associated with that request. And if it’s not, it’ll throw an error back in the face of the app/website.
Logout on all devices works by taking advantage of this authentication functionality. Simply put, it invalidates all authentication tokens that were issues before Now, (possibly sending a logout request to connected devices first).
This means that when previously-authenticated clients try to use their authentication tokens to perform an action, the server will simply go “Nope, that token has been invalidated! Log in again please”.