I’m in the initial stage of building a php/mysql backend that exposes a REST interface to a website and iphone/android/etc devices.

I’m not quite sure what is the ‘standard’ or ‘best practices’ for dealing with sessions for multiple devices that use the same account.

Here is my current thoughts on how this would work:

1. I would use MySQL to store sessions for now, with a sessions table like so:

   id, session_id (hash), user_id (int), created (timestamp), expire (timestamp), device (enum)

2. When a user login via iOS app or android app, I would return a session token in the success json for future api calls to use. Same with the website making an api call.

3. For security purposes, I should regenerate and overwrite the session token if the user re-login, but only for the session_id for that device.

4. I also have an expire column that tells me the expiration of the session so that if I wish, I can create a session that can expire in two weeks and is periodically cleaned by a CRON job.

This seem like a reasonable approach to me, but there are problems if the user uses an iphone and an ipad, or multiple android devices using the same account. Anytime the user logins with one would cause the other to log out.

I noticed instagram didn’t invalidate the session even if I login from another iphone.

However, I don’t think I can duplicate that behavior unless I never overwrite a session token when a user re-login or keep adding session rows into my session table whenever the user logins from the iphone?

What is the standard way of handling sessions across different devices?