I am creating an rest-api with nextjs that will be with interacting with mobile application and web application. and my question is it a bad practice to the following as authentication without checking sessions. mysql scheme.

Table users.

ID USERID EMAIL NAME CREATEDAT

TABLE ACCESS TOKEN

ID USERID ACCESSTOKEN EXPIRATIONDATE IP LASTSIGNIN

User Create an account with https post request and creates a row at users table Also create a row with ip and access token with expiration date of the token.

Access token is save at the as cookie in users webbrowser

and with every visit on pages that require log in or a post request that token is matched with access token and ip is match with ip in access token tab

in case of difference in ip or token expired the users will be signed out immediately.