Hi, I've got a simple use case: A mobile app with in-app chat. When client is online, he receives messages via mqtt. I want the session to be persistent so he will instantly receive unread messages when he connects back. For this, I need a clientID and cleanSession = false.
I want to send the client JWT Token as a clientID bu as the token will change everytime the client asks for a renewal, it's not a good way to keep persistence.
The best way would be to take the user id in the database so clientID will remain the same for life but as clients can send any client id, a session hijacking is easy.
The solution would be to send the JWT at connection, perform a JWT authentication server side at handshake and then set the clientID to retrieve the right session and send messages to client if there is any stored.
I also need to refuse any clientID sent by clients and systematically overwrite it.
Is this something possible or should I instead generate a random string and store it in the device ? But if the user decides to wipeout the app data, he will loss his connection.
Hi, I've got a simple use case: A mobile app with in-app chat. When client is online, he receives messages via mqtt. I want the session to be persistent so he will instantly receive unread messages when he connects back. For this, I need a clientID and
cleanSession = false.I want to send the client JWT Token as a clientID bu as the token will change everytime the client asks for a renewal, it's not a good way to keep persistence.
The best way would be to take the user id in the database so clientID will remain the same for life but as clients can send any client id, a session hijacking is easy.
The solution would be to send the JWT at connection, perform a JWT authentication server side at handshake and then set the clientID to retrieve the right session and send messages to client if there is any stored.
I also need to refuse any clientID sent by clients and systematically overwrite it.
Is this something possible or should I instead generate a random string and store it in the device ? But if the user decides to wipeout the app data, he will loss his connection.
Thanks