防止使用FOSUserBundle重复登录 [英] Prevent duplicate login with FOSUserBundle

问题描述

我们的应用程序使用 Symfony 2.0 和 MongoDB 和 FOSUserBundle 进行用户管理.

Our application is using Symfony 2.0 and MongoDB with FOSUserBundle for user management.

客户端希望阻止在其应用程序中同时使用同一用户名从不同设备登录.

我们的想法是在成功登录后使同一用户的所有其他会话无效/删除.

Our idea is to invalidate/delete all other sessions for the same user when the successful login occurs.

问题是，我们无法将会话保存在DB中，因为Mongo Session处理程序是在2.1版之后添加的.

The problem is, that we cannot save session in DB, because Mongo Session handler was added later in the version 2.1.

我们想出的唯一解决方案是遍历保存在文件系统中的会话文件，并检查用户名是否保存在该文件中.如果是这样，我们只需删除文件，其他位置的登录会话就会终止.当然，我们必须检查我们是否也删除当前会话.

The only solution we come up with is to iterate over the session files saved in file-system and check if the username of the user is saved in that file. If that is true, we just delete the file and login session on other locations are terminated. Of course we have to check that we don't delete the current session also.

有人能更好地解决问题吗? 如果没有，我们应该知道任何隐藏的陷阱吗?

Does anyone have a better idea how the problem could be solved? If not, are there any hidden traps that we should know about?

推荐答案

您可以将IP地址列添加到用户实体，该实体在登录时用于存储当前用户的IP.在每次加载页面时(通过事件侦听器)，您都可以将DB中存储的IP与请求页面的人的IP进行比较.如果数据库中的IP与当前用户的IP(从其他位置登录的人)不匹配，请注销他们.

You could add an IP address column to the user entity that stores the current user's IP upon login. On each page load (via an event listener), you could check the IP stored in the DB against the IP of the person requesting the page. If the IP in the DB doesn't match the current user's IP (someone logged in from another location), log them out.

要通过ajax更进一步，您可以每隔X秒对服务器执行一次调用，以执行相同类型的检查，如果ajax请求返回不正确的匹配，则进行重定向以注销用户.

To take it a step further, via ajax, you could make a call to the server every X seconds that performs the same type of check, and do a redirect to log the user out if the ajax request returns a bad match.

这篇关于防止使用FOSUserBundle重复登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！