限制并发登录-ASP.NET身份
[英]Restrict concurrent login - ASP.NET Identity
问题描述
I am trying to only allow a user account to be logged in, only once at the same time. 
我试图只允许一个用户帐户同时登录一次。
Eg User logs in via the browser on their computer, now they cant login at the same time on their phone as they are already logged in. 例如,用户通过计算机上的浏览器登录,现在,由于他们已经登录,因此无法在手机上同时登录。
I can add a bool property to my user entity, that I can update when the user logs in and logs out. 我可以向用户实体添加bool属性,当用户登录和注销时可以更新该属性。
However, I am using SlidingExpiration on the authentication cookie, therefore when the cookie expires it doesn't update my user property to say they are now logged out. 但是,我在身份验证cookie上使用了SlidingExpiration,因此,当cookie过期时,它不会更新我的用户属性,说他们现在已注销。
ExpireTimeSpan = <time period>,
SlidingExpiration = true,
Are there any better approach to restricting concurrent login? 有没有更好的方法来限制并发登录?
Thanks 谢谢
2 个解决方案
解决方案1
3 2014-05-23 10:58:59
Can you generate a Token at log in and store it in Data base? 您可以在登录时生成令牌并将其存储在数据库中吗?
Then, check every time if the token matches with the one provided by user. 然后,每次检查令牌是否与用户提供的令牌匹配。
If he does log in in another device, the token will be overwritten and won't match with the first one, so the first session will become invalid. 如果他确实登录另一台设备,则令牌将被覆盖并且与第一个令牌不匹配,因此第一个会话将变为无效。
EDIT: 编辑:
As you asked in a comment, it doesn't block a user to perform a second log in in another device concurrently, it only invalidates the previous sessions. 正如您在评论中要求的那样,它不会阻止用户同时在另一台设备上执行第二次登录,它只会使以前的会话无效。
Avoiding a second log in requires more job and isn't as safe as the method shown above. 避免再次登录需要更多工作,并且不如上面显示的方法安全。
Imagine that the user closes the browser without performing a log out... It will block the session. 想象一下,用户关闭浏览器而不执行注销...它将阻止会话。
An approximation of what you want will be adding the time parameter to your log in (adding it into the data base too, and updating the field on every user's action). 所需的近似值是将time参数添加到登录中(也将其添加到数据库中,并根据每个用户的操作更新该字段)。
Then show the message of "you can't log in twice" if the token doesn't matches and the time span is not far enough (ie 5 minutes). 如果令牌不匹配并且时间跨度不够(即5分钟),则显示消息“您无法两次登录”。 But in my example you need to show a "your session expired" if the token has changed anyway. 但是在我的示例中,如果令牌仍然更改,则需要显示“您的会话已过期”。
解决方案2
1 2014-05-23 10:59:25
"The idea is very simple every time the user logged in you have to generate random token , then you should save that token in the database and in session or if you are using Microsoft form authentication you can save it in the ticket, then each time the user request a page you'll check if the session token is same as database token , if not kick him out!" “这个想法很简单,每次用户登录时都必须生成随机令牌,然后应该将该令牌保存在数据库中以及会话中,或者如果您使用的是Microsoft表单身份验证,则可以将其保存在故障单中,然后每次用户请求一个页面,您将检查会话令牌是否与数据库令牌相同(如果没有将其踢出局!”)
http://engthunder.wordpress.com/2011/10/19/preventing-multiple-user-from-logging-in-using-the-same-username-single-user-login-at-a-time/ http://engthunder.wordpress.com/2011/10/19/preventing-multiple-user-from-logging-in-using-the-same-username-single-user-login-at-a-time/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.