防止用户组中的同时并发和最大登录
[英]Prevent simultaneous concurrent & maximum logins in User group
问题描述
is it possible to allow only one concurrent login per user in Asp.Net web application? 
是否可以在Asp.Net Web应用程序中仅允许每个用户进行一次并发登录?
I am working on one web application in which i want to make sure that website allow only one login per user at a time . 我正在开发一个Web应用程序,我希望确保该网站每个用户一次只能登录一次。 How to check that current user already logged in or not . 如何检查当前用户是否已登录。
Also I wanted to Limit no of logins per group as defined. 此外,我想限制每组定义的登录数量。 like Maximum 10 IT department people can login at a time, maximum 5 HR department people can login. 像最多10个IT部门人员可以一次登录,最多5个人力资源部门人员可以登录。
I am using simple database to store the login information 我使用简单的数据库来存储登录信息
1 个解决方案
解决方案1
2 已采纳 2014-02-24 17:57:18
So there are two different things that you need to keep track of here and check on. 因此,您需要跟踪这两个不同的事情并检查。
The first is that, when someone logs in, you'll want to invalidate any previous sessions for that username. 首先,当有人登录时,您将要使该用户名的任何先前会话无效。 This prevents the trivial case of someone logging in on one machine and then logging in on another machine, as the first machine will no longer be able to make any new authenticated requests. 这可以防止有人在一台计算机上登录然后登录另一台计算机,因为第一台计算机将无法再生成任何新的经过身份验证的请求。 This will be sufficient in most cases for dealing with users who aren't actively trying to subvert this restriction. 在大多数情况下,这对于处理未积极尝试破坏此限制的用户来说已足够。
The next is a little bit more complicated. 接下来会有点复杂。 What you need to look for is users making requests to your sever using the same authenticated session ID but with different IPs, broswers, etc. What you'll be looking for is dealing with the case where one person logs in, then looks at the session information in their cookie, and then re-creates an identical cookie with the same session ID on another machine. 您需要查找的是用户使用相同的经过身份验证的会话ID向您的服务器发出请求,但使用不同的IP,broswers等。您将要查找的是处理一个人登录的情况,然后查看其cookie中的会话信息,然后在另一台计算机上重新创建具有相同会话ID的相同cookie。
That second approach does have its issues though. 第二种方法确实存在问题。 Most people don't have entirely static IPs. 大多数人没有完全静态的IP。 An entirely static IP is actually very rare. 完全静态的IP实际上非常罕见。 That said, for most users their IP is not rotated very often; 也就是说,对于大多数用户来说,他们的IP不会经常轮换; they're unlikely to see it change while actively using the site. 在积极使用网站时,他们不太可能看到它发生变化。 These people are not going to have any problems if using the site appropriate. 如果使用适当的网站,这些人不会有任何问题。 However, there are going to be some people who's internet providers will rotate their IPs frequently. 但是,有些人的互联网提供商会经常轮换他们的IP。 These people may not be doing anything inappropriate either. 这些人可能也没有做任何不合适的事情。 If you don't deal with the fact that people's IPs may be frequently changing you could end up constantly kicking out all users from certain internet providers. 如果你不处理人们的IP可能经常变化的事实,你最终可能会不断地从某些互联网提供商那里踢出所有用户。 What you really want to be looking out for is cases where there is an action performed by a user with a given IP/session, then an action on the same account from a different IP with the same session, then more actions from the first IP, followed by more from the second, etc. When you see this flip flopping between two IPs in a very short span of time, it's a strong indication that two people on two different machines are accessing the account. 您真正想要注意的是具有给定IP /会话的用户执行的操作,然后来自具有相同会话的不同IP的同一帐户的操作,然后来自第一IP的更多操作的情况当你在很短的时间内看到两个IP之间的这种翻转时,它强烈表明两台不同机器上的两个人正在访问该帐户。 You can further improve this metric by incorporating other aspects of each request, such as the browser information (with the version, down to the lowest version component). 您可以通过合并每个请求的其他方面来进一步改进此度量标准,例如浏览器信息(包含版本,最低版本组件)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.