有什么方法可以使用Session变量实现单点登录吗? [英] Is there any way to implement single sign on using Session variable?
问题描述
朋友,
在我的应用程序中,我使用InProc会话状态,在此状态下,我将在成功进行身份验证后存储每个用户的User_Id.
Session.Add("UID", strUserid);
现在,同一用户可以从不同的浏览器窗口多次登录到我的应用程序.尚未实施任何单一登录.要求是我需要准备一些东西,以限制同一用户多次登录系统.如果用户已经登录到系统,我应该向用户显示一条消息.
我想到的一种方法是在用户表上添加标志,并在用户成功登录时更新标志,以便每次用户尝试登录时都可以跟踪标志数据.类似以下内容:
if(flag=="Y")
{
Don''t allow the user, show message.
}
else
{
allow user.
}
我想知道是否有任何可用的机制,以便可以遍历会话变量并检查当前用户的会话是否可用?如果当前的用户会话可用,我将不允许该用户.当我将user_id存储到会话中时,请让我知道是否可以使用会话变量来完成此操作.请提出一些想法,我可以遵循这些想法来实施.提前谢谢.
问候,
Subahdeep
,您只需要将UID添加到 Application 对象中,以便也可以从会话中访问它. >
我猜strUserid是唯一的,并且是一个字符串(如果strUserid是一个数字,则将其转换为字符串以添加到Application对象)请按照以下步骤操作
//write this code in the same procedure (function) where you authenticate user on login request Session.Add("UID", strUserid); // no other changes are required if(Application.Get(strUserid)!= null) { //Don''t allow the user, show message. } else { Application.Add(strUserid, "LOGGED_IN"); // show that he.she can not login again // check for user name and password, if match then allow user. }
同样,当有人注销然后从应用程序中删除UID
如果您使用的是ASP.Net,则可能应该看看Membership模型,该模型提供了许多用于处理安全性的功能.
看一下这个博客,它描述了一种处理此问题的方法
http://geekswithblogs.net/Frez/Frez/article/preventing-a-user-from-having-multiple-concurrent-sessions.aspx [ http://www. google.co.uk/search?q=asp.net+membership+prevent+multiple+user+logins+使用+ the +相同+凭据 [
Now, same user can login to my application multiple time from different browser window. There no single sign on implemented. The requirement is I need to have something in place which can restrict the same users to log in into the system multiple time. I should show a message to the user if the user is already logged in into the system.
One way I think of is to add a flag on my User table and update the flag when a user logged in successfully so that I can track the flag data every time a user tries logging in. Something like below:
if(flag=="Y") { Don''t allow the user, show message. } else { allow user. }
I wanted to know if there is any mechanism available, so that I can loop through the session variables and check if the current user''s session is available ? If current user session is available I''ll not allow the user. Please let me know if it can be done using the session variables as I''m storing the user_id to the session. Please suggest ideas which I can follow to implement it. Thanks in advance.
Regards,
Subahdeep解决方案you just need to add UID to Application object also so that this can be accessed out of your session also.
I guess strUserid is unique and a string ( if strUserid is a number then convert it to string for adding to Application object) follow these steps
//write this code in the same procedure (function) where you authenticate user on login request Session.Add("UID", strUserid); // no other changes are required if(Application.Get(strUserid)!= null) { //Don''t allow the user, show message. } else { Application.Add(strUserid, "LOGGED_IN"); // show that he.she can not login again // check for user name and password, if match then allow user. }
also when someone logout then remove the UID from Application
If you''re using ASP.Net, you should probably have a look at the Membership model which provides a lot of functionality for handling security.
Have a look at this blog that describes one way of handling this
http://geekswithblogs.net/Frez/Frez/articles/preventing-a-user-from-having-multiple-concurrent-sessions.aspx[^]
Otherwise, google is your friend!
http://www.google.co.uk/search?q=asp.net+membership+prevent+multiple+user+logons+using+the+same+credentials[^]
You mentioned that you are using InProc session state. Well, I guess there is no much you can do in this case. You can''t retrieve the active session states for a given user.
Possible solutions are:
a) move your session state to OutProc, then it becomes easy to retrieve it from your chosen database.
b)Enforce single sign-in mechanism. In this case you will prevent the user from login the second time while their session is active. But this comes with caveat. i) the user won''t able to use multiple browsers ii) the user can''t login from different machine until the session expires.
You can mitigate the session length with some javascript code. when ever the browser is closed kill the session. This is not fool-prove and it may not work on all cases.
这篇关于有什么方法可以使用Session变量实现单点登录吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
