防止使用相同的凭证进行多次登录 [英] Prevent multiple logins using the same credentials

问题描述

我检查了以前问过的类似问题，但找不到合适的答案.

I checked previously asked similar Questions, but I am not able to find a suitable answer.

要求:在两台不同的计算机上，不能使用相同的用户凭据来访问应用程序.

Requirement: On two different machines the same user credentials can't be used to access the application.

我已经实现的功能，在登录时，从用户使用的所有以前的设备中注销.

What I have implemented, At the time of login, logout from all previous devices used by user.

from django.contrib.auth.signals import user_logged_in

class UserAccount(models.Model):
    """
    This model will be used to extra user information.
    """

    user = models.OneToOneField(User, db_index=True)
    session = models.CharField(max_length=40, null=True)
    ip_address = models.IPAddressField()

def logout_other_devices(user, request, **kwargs):
    """
    Delete session(logout all) other devices with same credential.
    """

    profile = user.useraccount

    if profile.session:
        Session.objects.filter(session_key=profile.session).delete()

    profile.session = request.session.session_key
    profile.ip_address = request.META.get('REMOTE_ADDR')
    profile.save()


user_logged_in.connect(logout_other_devices)

还剩下什么，如果一个用户登录一个系统并将其 sessionid (从cookie)传递给在同一WiFi(或LAN)连接下连接的第二个用户，则第二个IP在服务器上来相同.在允许第二个用户访问任何网站数据之前，我该如何区分第二个用户并注销第一个用户.

What still is left, if one user is logged in one system and passes its sessionid (from cookies) to the second user connected under the same WiFi(or LAN) connection then the IP of second is coming same on server. How can I discriminate the second user and log-out the first user before allowing access to any website data to the second user.

推荐答案

Django每次用户登录时都会生成一个会话密钥并将其保存在数据库中.如果用户从其他浏览器/设备登录，则Django会创建一个新的会话密钥，而不会删除旧的.

Django generates a session key and saves it in the db everytime a user logs in. If user logs in from another browser/device Django creates a new session key without deleting the old one.

如果要使用户退出其他设备，只需从db中删除其先前的会话密钥即可.

If you want to log the user out of other devices, you just need to delete his/her previous session key from db.

由于没有简单的方法来识别哪个密钥属于哪个用户，因此用户登录后必须将会话密钥保存在用户模型中.因此，请在用户模型中添加另一个名为 session_key的字段.，就像这样:

Since, there is no easy way to identify which key belongs to which user, you will have to save the session key in user model after the user logs in. So, add another field in your User model called session_key, like so:

# models.py

class UserAccount(...):
    ...
    session_key = models.CharField(max_length=100, null=True)

您还需要对登录视图进行一些更改，例如:

You will also need to make some changes to your login view, like so:

# views.py

from django.contrib.sessions.backend.db import Session

def login_view(request):
    ...
    user = authenticate(...)

    # Here comes good part

    if user is not None:

        if user.session_key: # check if user has session_key. This will be true for users logged in on another device
            try:
                s = Session.objects.get(session_key=user.session_key)
            except Session.DoesNotExist:
                pass
            else:
                s.delete() # delete the old session_key from db

       login(request, user) # log the user in

       # set new session_key for user instance
       user.session_key = request.session.session_key
       user.save() # save the user

    # do other stuff

这篇关于防止使用相同的凭证进行多次登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！