简体繁体 English

如何在asp.net mvc 4.0中将用户从同一个用户名和密码限制为两个系统/浏览器的逻辑？

[英]How to restrict user from same Username and Password to logic from two system/browser in asp.net mvc 4.0?

原文 2013-11-14 06:10:44 3 3 c#/ asp.net-mvc/ security

I've created a asp.net mvc4 web site. 我创建了一个asp.net mvc4网站。 I've implemented Form authentication also. 我也实现了表单身份验证。 In this web site i want to block access to my web site client in a same time (if a client of my website is already open his or her account in a computer then that client can not get any permission to open that same website on the same time in other computer or any other browser of the same system). 在这个网站我想同时阻止访问我的网站客户端（如果我的网站的客户已经在计算机上打开了他或她的帐户，那么该客户端无法获得任何权限在该网站上打开同一个网站同时在其他计算机或同一系统的任何其他浏览器中）。

I want to provide one paid service to user, and I don't want him to just share his username and password with many people to use my service simultaneously without paying for it. 我想向用户提供一项付费服务，我不希望他与许多人分享他的用户名和密码，以便同时使用我的服务而无需支付费用。 please help me soon 请尽快帮帮我

How can I implement this. 我该如何实现呢。 do i need to maintain some login information in database or is there any built in tool available for this. 我是否需要在数据库中维护一些登录信息，或者是否有可用的内置工具。

3 个解决方案

To my knowledge there is nothing built in, but you may be able to implement your own version of the ASP.NET authorization providers . 据我所知，没有任何内置，但您可能能够实现自己的ASP.NET授权提供程序版本。

Upon successful login you would need to store the value of the FormsAuthenticationTicket in your database and associate it to your user record. 成功登录后，您需要将FormsAuthenticationTicket的值存储在数据库中，并将其与您的用户记录相关联。

On every page load you would need to check the value of the ticket against the database record for that user. 在每个页面加载时，您需要根据该用户的数据库记录检查故障单的值。 In case of mismatch the user would be logged out. 如果不匹配，用户将被注销。

Using this approach if User A and User B were using the same credentials, User A was logged in and if User B then logged in, it would invalidate User A's session and they would not be able to view content at the same time. 如果用户A和用户B使用相同的凭据，则使用此方法，用户A已登录，如果用户B随后登录，则会使用户A的会话无效，并且他们无法同时查看内容。 You could also log the activity when a session is overridden, along with IP address and User Agent to help you identify users that are sharing account details. 您还可以在会话被覆盖时记录活动，以及IP地址和用户代理，以帮助您识别共享帐户详细信息的用户。

This feature is not built in. 此功能不是内置的。

I would add an "IsLoggedIn" bit column to my "User" table. 我会在“User”表中添加一个“IsLoggedIn”位列。 Then you could check this column to see if the user should be allowed in. 然后，您可以检查此列以查看是否应允许用户进入。

The problem is going to be knowing when that flag should be set to false. 问题是要知道该标志何时应该设置为false。 It's easy enough to set the flag to false if the user clicks "logout" or in the "on session end" event, but I think you'll run in to cases where that's not good enough. 如果用户单击“注销”或“在会话结束时”事件，将标志设置为false很容易，但我认为你会遇到不够好的情况。 For example, if a user logs in from a laptop and the laptop's battery fails, you aren't going to get any notification from the client that the user has left... 例如，如果用户从笔记本电脑登录并且笔记本电脑的电池发生故障，您将无法从客户端收到用户已离开的任何通知......