对asp.net成员正确的100％IsOnline实现 [英] Proper 100% IsOnline implementation for asp.net membership

问题描述

我必须设计一个CMS，其中一组凭据只能使用一次.因此，如果用户已经从计算机登录，那么在该用户注销之前，没有人可以使用他的凭据从另一个位置登录.

I have to design a CMS where a set of credentials can only be used once. So if a user has logged in from his computer, no-one can login with his credentials from another location until that user logs out.

现在使用开箱即用的asp.net成员身份提供程序，IsOnline方法将返回一个布尔值，该值反映了超时时间与上次活动日期之间的关系.这对我来说不是一个可行的选择，因为如果用户仅在登录后关闭浏览器，IsOnline仍为true.但是他的会话将被破坏(假设他没有使用记住我")，因此，如果他尝试登录其他地方，则会显示对不起，您仍然登录".

Now using the asp.net membership provider out the box, the IsOnline method returns a boolean that reflects the timeout window vs. the last activity date. This is not a viable option for me, because if the user just closes the browser after logging in, IsOnline will still be true. But his session will be destroyed(assuming he's not using Remember Me) so if he tries to log in somewhere else it will say "Sorry you still logged in".

是否有任何快速便捷的选择来执行此操作?

Are there any hard and fast options for doing this..?

我当时想强迫用户记住"，所以当他登录布尔值的"IsReallyOnline"时，将其设置为true，而当他注销时，反之亦然. cookie，而不是注销并关闭浏览器，然后sum1就会出现，浏览器已访问该站点，并且他已登录，等等..)似乎是目前最可行的?

I was thinking of forcing the users to be "Remembered" so when he logs in a boolean "IsReallyOnline" will be set to true and vice versa when he logs out.. Although this option has it's limitations, (people turn off cookies, not logging out and closing the browser then sum1 else comes and browser to the site and he's logged in etc....) it seems like the most viable for now?

有什么建议吗?

预先感谢

推荐答案

您真正要的是网络之外的东西.根据定义，HTTP协议是无状态的，这意味着可以随时使用.服务器永远不需要知道客户端是否仍然存在. Web服务器编程语言的较新/较旧的实现(例如php/asp.net mvc)在很大程度上避免了存储有关已连接/活动客户端的任何状态.

You are really asking for something that is outside of the remit of the web. The HTTP protocol is by definition stateless, meaning that at any one time; a server never need know if a client still exists. The newer/older implementations of web server programming languages (e.g. php / asp.net mvc) for the most part shy away from storing any state about connected/active clients.

要问自己的一些事情包括:

用户在页面上处于活动状态"多长时间而不会引起回发?基于Javascript的页面可能允许用户在任何类型的回发发生之前的相当长一段时间内以交互方式使用该页面.

How long may a user be 'active' on a page without causing a postback? Javascript based pages may allow for a user to interactively be using a page for quite some time before any kind of postback happens.

用户将通过代理服务器还是缓存服务器?在这种情况下，来自不同"用户的多个请求可能来自同一台计算机.

Will the users be going through a proxy or caching server? Multiple requests from 'different' users may come from the same machine in this case.

您的应用程序将仅在一台计算机上运行，​​还是在服务器场上运行?您需要确保(例如)负载平衡不会将不同的用户拖到允许多次登录的不同服务器上.

Will your application be running on one machine only, or maybe a server farm? You'll need to ensure that load balancing (for example) doesn't punt different users onto different servers allowing multiple logins.

用户合法地在同一台计算机上使用两个不同的浏览器怎么样?这是允许的吗?

How about a user legitimately using two different browsers on the same machine? Is this to be allowed?

一个人可能会在这里提出您的问题，原因是鉴于您的要求尝试使用错误的技术?也许编写一个直接连接到您的服务器的客户端应用程序会更安全"? (是的，我知道这很麻烦，但是如果您的一个用户/一个登录要求是绝对的，也许您可​​以探索这个途径?)

One might suggest your problem here stems from trying to use the wrong technology given your requirements? Maybe writing a client application which uses direct connection to your servers would be more 'secure'? (Yes I understand this is huge hassles but if your one user / one logon requirement is absolute maybe you could explore this avenue?)

哦，好的Web解决方案

对于以http为中心的解决方案，您可以尝试使用JavaScript计时器，每隔X秒向您的服务器发出一次请求，以指示会话仍处于活动状态.只要浏览器处于打开状态并且网络连接有效，您就应该获得这些"ping".该会话通过httprequest传递的cookie保持打开状态.

For a http centric solution you could try a javascript timer making a request to your server every X seconds to indicate that the session is still active. As long as the browser is open and the network connection valid you should be getting these 'pings'. The session is kept open by the cookie passed by the httprequest.

您将能够对"ping"页面进行编码，以将用户详细信息存储到应用程序对象或您选择的某些成员资格提供程序中，然后在客户端尝试登录时询问该提供程序.

You'll be able to code the 'ping' page to store the user details into either the application object or some membership provider of your choice then interrogate this provider whenever a client attempts to log in.

这将要求会话或其他机制相对较短的超时时间，以确保崩溃的浏览器不会将您的合法用户锁定太长时间.

This will require a relatively short time-out on a session or some other mechanism to ensure that a crashed browser doesn't lock your legitimate user out for too long.

请注意:如果用户没有打开javascript，这将非常失败(不要以为他们会使用！)

Please note: This will fail horribly if the user doesn't have javascript turned on (Don't assume that they will have!)

这篇关于对asp.net成员正确的100％IsOnline实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！