如何将对Web应用程序的访问限制为仅一台机器? [英] How to restrict access to web application to one machine only?
问题描述
我需要确保每个访问我的Web应用程序的用户只能在一台计算机上执行此操作,因此100个用户将意味着100台计算机.最好的解决方案是什么?首次登录时检测并存储IP是个好主意吗?我认为即使在会话的生命周期中IP也会改变,对吗?我还考虑过在用户首次登录时存储cookie.然后将这些cookie分配给用户,就像我已经使用密码和用户名一样,并且每次访问应用程序时都要检查cookie的存在.
I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing cookie when user first logs in. Then assigning these cookie to the user, same as I do with password and username already, and every time when accessing application checking for presence of that cookie.
请让我知道您认为什么是最佳解决方案.如果重要的话,我的后端是php/mysql.
Please let me know what in your opinion would be the best solution. My backend is php/mysql if that matters.
我需要澄清...这是正常会话管理的补充.我需要限制用户只能从一台特定的计算机登录Web应用程序.因此,如果用户最初是在工作时从其计算机登录的,而我存储了它的ip/cookie/etc,那么客户端将注销(甚至不注销),回家并尝试登录将无法执行此操作.我同意这个想法很可怕,但客户坚持:)
I need to clarify... This is in addition to normal session management. I need to restrict users to be able to login to web application from one specific machine only. So if user originally logged in from his computer at work and I stored its ip/cookie/etc., then client logs out (or even not), goes home and tries to login won't be able to do that. I agree its horrible idea but client insists :)
推荐答案
在移动客户端或在有线和无线网络之间切换的客户端的情况下,IP地址可能会更改.最好的选择可能是在每个客户端首次连接时为其提供一个随机生成的UID(如果它还没有cookie).然后,您可以使用两个不同的UID检查相同的用户名是否未连接.
IP address might change in the case of mobile clients, or clients that switch between wired and wireless networks. Your best bet would probably be to provide a randomly-generated UID to each client when it first connects (if it doesn't already have the cookie). Then you can check that the same username isn't connecting using two different UIDs.
诀窍在于,您需要确保将此UID超时,这样,如果用户转到另一台计算机,就不会被锁定.也许对UID进行一次更改是可以的,但是它们不能返回到已经使用过的UID吗?
The trick is that you need to make sure to time this UID out, so that if the user goes to another computer they aren't locked out. Perhaps one change to the UID is okay, but they can't go back to a UID that's already been used?
这篇关于如何将对Web应用程序的访问限制为仅一台机器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
