设计 - 如果同一用户从不同的浏览器/机器登录，则用户会话无效 [英] Devise - Invalidate user session if the same user logs in from a different browser/machine

问题描述

我有一个场景，我需要限制用户一次只有一个活动会话.我的是一个 rails3 应用程序，并使用设计进行身份验证.我有兴趣只保持最新的用户会话处于活动状态.即，如果用户登录时有另一个相同用户名的活动会话，我想停用旧会话并允许最近的会话.有没有办法在设计中获取用户会话并使它们无效?

I have a scenario where i need to restrict users from having only one active session at a time. Mine is a rails3 application and uses devise for authentication. I'm interested in keeping only the latest user session active. i.e., if a user logs in while there is another session active for the same username, i want to inactivate the older session and allow the recent one. Is there a way, in devise, to get hold of user sessions and invalidate them?

推荐答案

您可以通过在数据库中存储特定于该用户的唯一令牌来跟踪特定用户的会话.

You can track a particular user's session by storing a unique token specific to that user in the database.

创建迁移以添加用于存储令牌的字段.我假设设计模型是用户.

Create a migration to add the field for storing the token. I assume the devise model is User.

class AddSignInTokenToUsers < ActiveRecord::Migration
  def change
    add_column :users, :current_sign_in_token, :string
  end
end

将以下代码添加到application_controller.rb

class ApplicationController < ActionController::Base
  before_filter :invalidate_simultaneous_user_session, :unless => Proc.new {|c| c.controller_name == 'sessions' and c.action_name == 'create' }

  def invalidate_simultaneous_user_session
    sign_out_and_redirect(current_user) if current_user && session[:sign_in_token] != current_user.current_sign_in_token
  end

  def sign_in(resource_or_scope, *args)
    super
    token = Devise.friendly_token
    current_user.update_attribute :current_sign_in_token, token
    session[:sign_in_token] = token
  end
end

sign_in(resource_or_scope, *args) 是一个设计钩子，每次用户登录时都会调用.

sign_in(resource_or_scope, *args) is a devise hook that will be called every time the user logs in.

invalidate_simultaneous_user_session 如果当前用户的另一个实例登录，将注销当前用户.这将确保在任何时间一个用户只有一个会话处于活动状态.

invalidate_simultaneous_user_session will log out the current user if another instance of the current user logs in. This will ensure that only one session is active for a user at any instance of time.

invalidate_simultaneous_user_session 过滤器应该跳过用户登录操作以更新新登录用户的令牌.我对使用 Proc 跳过基于控制器名称和操作的过滤器不满意.如果您已经覆盖了设计的 sessions_controller，那么在该控制器中包含 skip_before_filter :check_simultaneous_user_session 并且您可以摆脱 Proc！

invalidate_simultaneous_user_session filter should be skipped for the user login action to update the newly logged in user's token. I am not happy with using a Proc to skip the filter based on controller name and action. If you have already overridden devise's sessions_controller, then include skip_before_filter :check_simultaneous_user_session inside that controller and you can get rid of the Proc!

希望这有帮助..

这篇关于设计 - 如果同一用户从不同的浏览器/机器登录，则用户会话无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！