I agree with you, this solution is no where near universal and has its problems as you pointed out.

However, it has been working fine for me with two clients (a web client and an XML API client) logged in at the same, as both use different authentication methods.

The XML API uses the single_access_token, while in my application, I use the excellent authlogic, which I think uses the persistence_token of the user model. As both are different in the DB, this works well.

Also, admitting that both solutions would use the same single_access_token, resetting it only for one format would lead to strange results, and an inconsistent behavior for the user.

Now, if you want to access a website both on a web desktop and lets say on a web mobile, for sure, there will be a problem with my solution, but my guess is this will not happen often.

I see that in your solution there is one tricks, when user first authenticated through client and then through Web, then they cannot works in parallel, because you reset single token, maybe better, reset it only for format xml.

But also you cannot logged in parallel through two clients. Otherwise maybe better use toke of session not user’s model.

Paul