ASP.NET身份并发登录
[英]ASP.NET Identity Concurrent Logins
问题描述
I have an ASP.NET Web Forms application. 
我有一个ASP.NET Web窗体应用程序。 This application is not something that will be used internally, but rather will get installed on a server and sold to customers who will use it internally. 此应用程序不是将在内部使用的东西,而是将其安装在服务器上并出售给将在内部使用它的客户。
So with that, we have limited the number of users that can access it (different packages: 10, 25, 50, or unlimited). 因此,我们限制了可以访问它的用户数量(不同的软件包:10、25、50或无限制)。 The problem is, however, that with ASP.NET Identity, concurrent logins are allowed. 但是问题是,使用ASP.NET Identity允许并发登录。 This means if a customer has a 10-user system, they could all log in as the same user, and have effectively unlimited user access. 这意味着,如果一个客户有10个用户的系统,那么他们都可以以同一用户身份登录,并且实际上具有无限的用户访问权限。 So if "Dave" logged in as Dave, then Jim could log in as Dave, as could Bob, John, Stacey, and any number of people. 因此,如果“ Dave”以Dave身份登录,那么Jim可以以Dave身份登录,Bob,John,Stacey以及其他任何人也可以登录。
What I'm missing is a way to force concurrent logins to logout, if the same user. 我所缺少的是一种强制并发登录(如果是同一用户)的方法。 So if Bob tries to log in as Dave, then Dave (the original login) gets logged out. 因此,如果Bob尝试以Dave身份登录,则Dave(原始登录名)将被注销。
I found a couple of examples that somewhat work around the issue, but they were a little dated, and were for MVC. 我发现了一些可以解决该问题的示例,但它们有些过时,并且适用于MVC。
1 个解决方案
解决方案1
3 已采纳 2017-05-09 14:44:08
I was able to solve the issue by utilizing cookie authentication and an asynchronous method to update the security stamp. 我能够通过使用cookie身份验证和异步方法来更新安全戳来解决此问题。
Basically, the user's login information is stored in a cookie, which gets validated on every page load. 基本上,用户的登录信息存储在cookie中,该cookie在每次页面加载时都会得到验证。 When someone else logs in with the same username (or the same user logs in with a different browser), it updates the security stamp (causing invalidation for anyone currently logged in) and then proceeds to log the user in, using the updated stamp. 当其他人使用相同的用户名登录(或同一用户使用其他浏览器登录)时,它会更新安全性戳(导致当前登录的任何人均无效),然后使用更新后的戳进行登录。 On the login screen, my "Login" button's LogIn event is: 在登录屏幕上,我的“登录”按钮的LogIn事件是:
protected async void LogIn(object sender, EventArgs e)
Then below in the body of the method, we have: 然后在方法的主体下面,我们有:
await signinManager.UserManager.UpdateSecurityStampAsync(user.Id);
await signinManager.PasswordSignInAsync(Username.Text, Password.Text, true, false);
Response.Redirect("~/Default.aspx");
This will ensure that every time a user logs in, their SecurityStamp is updated and stored in the database. 这将确保每次用户登录时,他们的SecurityStamp都会更新并存储在数据库中。 And as long as the user goes back to the site in the same browser, then their login will be persisted. 只要用户在同一浏览器中返回该站点,他们的登录信息就会保留下来。 However, if any user comes behind them in a different browser and logs in using their same credentials, then the first account will be logged out. 但是,如果有任何用户在其他浏览器后面出现并使用相同的凭据登录,则第一个帐户将被注销。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.