When a client tries to establish a new connection with the server using the auth token, if the auth token is valid and hasn’t expired yet, we issue a session token to the client.
The client must send the session token in all the calls that it makes now. We need to ensure that
Client can’t start another session 1 hour(a constant) after he started the first session - This would require the start time of the first session to be written to the file which has all other info
<name> <email> <valid-until> <token only alphanumerics> <start-time>.
Multiple sessions for the same user aren’t active at the same time - The session info for the current session can be kept in memory. When the client conn is closed we can clear the session info in memory.
Client shouldn’t be shown a repeated question if he starts another session if the first session got killed for some reason.
This should be fine if the connection got disconnected from the client as the question list that we store in memory is specific to an auth token. Though, it might be a problem if we store the question list in memory and the server crashed. Should we worry about the server crashing case?