设计每个用户一次限制一个会话 [英] Devise limit one session per user at a time
问题描述
我的应用使用 Rails 3.0.4 和 Devise 1.1.7.
My app is using Rails 3.0.4 and Devise 1.1.7.
我正在寻找一种方法来防止用户共享帐户,因为该应用是一项基于订阅的服务.找了一个多星期了,还是不知道怎么实现.我希望有人已经实施了一个解决方案,并且可以为我指明正确的方向.
I'm looking for a way to prevent users from sharing accounts as the app is a subscription based service. I've been searching for over a week, and I still don't know how to implement a solution. I'm hoping someone has implemented a solution and can point me in the right direction.
解决方案(感谢大家的回答和见解!)
Solution (Thank you everyone for your answers and insight!)
在应用程序 controller.rb 中
In application controller.rb
before_filter :check_concurrent_session
def check_concurrent_session
if is_already_logged_in?
sign_out_and_redirect(current_user)
end
end
def is_already_logged_in?
current_user && !(session[:token] == current_user.login_token)
end
在覆盖设计会话控制器的 session_controller 中:
In session_controller that overrides Devise Sessions controller:
skip_before_filter :check_concurrent_session
def create
super
set_login_token
end
private
def set_login_token
token = Devise.friendly_token
session[:token] = token
current_user.login_token = token
current_user.save
end
在迁移中 AddLoginTokenToUsers
In migration AddLoginTokenToUsers
def self.up
change_table "users" do |t|
t.string "login_token"
end
end
def self.down
change_table "users" do |t|
t.remove "login_token"
end
end
推荐答案
你做不到.
- 您可以控制用户的 IP 地址,因此您可以防止用户同时来自两个 IP.并且您可以绑定登录名和IP.您可以尝试通过 IP 查看城市和其他地理位置数据以阻止用户.
- 您可以设置 cookie 来控制其他事情.
但这些都不能保证只有一个用户使用这个登录名,并且这105个来自世界各地的IP不只属于一个使用代理或其他方式的唯一用户.
But none of this will guarantee that only one user uses this login, and that those 105 IP from all over the world doesn't belong to only one unique user, which uses Proxy or whatever.
最后一点:您在 Internet 上永远不需要这个.
And the last: you never need this in the Internet.
UPD
但是,我要问的是限制多个用户同时使用同一个帐户,我认为这是可能的
However, what I'm asking is about limiting multiple users from using the same account simultaneously which I feel should be possible
因此您可以存储一些令牌,其中将包含一些加密数据:IP + 密码字符串 + 用户代理 + 用户浏览器版本 + 用户操作系统 + 任何其他个人信息:encrypt(IP + "some secret string" +request.user_agent + ...)
.然后您可以使用该令牌设置会话或 cookie.对于每个请求,您都可以获取它:如果用户是相同的?他是否使用相同的浏览器和来自相同操作系统的相同浏览器版本等.
So you can store some token, that will contain some encrypted data: IP + secret string + user agent + user browser version + user OS + any other personal info: encrypt(IP + "some secret string" + request.user_agent + ...)
. And then you can set a session or cookie with that token. And with each request you can fetch it: if user is the same? Is he using the same browser and the same browser version from the same OS etc.
您也可以使用动态令牌:您更改每个请求的令牌,因此每个会话只有一个用户可以使用系统,因为每个请求令牌都会更改,其他用户将在其令牌过期时注销.
Also you can use dynamic tokens: you change token each request, so only one user could use system per session, because each request token will be changed, another user will be logged out as far as his token will be expired.
这篇关于设计每个用户一次限制一个会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!