That’s insanity, why would they do that? Why wouldn’t the old token be destroyed when a new one is generated for that app? I am assuming to at-least prevent CSRF that the request can only come from the root domain of the registered domain on the app, or could someone just take that auth-token anywhere and start using it to act on behalf of that account?
As it stands right now, so long as they are coming from the same IP their auth (on my side) is fine and they can interact with the site as logged in, however, if their IP changes I force delete the cookie and make them log back in by re-authing. I thought this was the way to go, since it would eliminate someone stealing the auth token and interacting with my site as that user. What you’re telling me, is all that’s doing is generating yet another perma key every time this happens. If this is the case, how am I supposed to maintain a login session and provide logging in with Twitch without generating hundreds of these keys?
Thanks for any advice.