登录安全：如何禁用多个登录 [英] Login Security: How to Disable Multiple login

问题描述

我想我的网站上禁用多个登录。例如，当用户登录已经在系统上。系统应禁用用户在其他浏览器或电脑重新登录。目前，我试图通过使用数据库这样做。我有一列像login_status，一旦用户在登录其将更新为1和0离线。如果用户关闭浏览器未注销。它将保持登录时，用户应该要求管理员登录他。问题是我们要自动退出由30分钟空闲时间的最大用户。我有一个困难时期如何做到这一点。

I want to disable multiple login on my web. For example when a user already login on the system. System should disable the user to login again on another browser or computer. Currently I tried doing this by using the database. I have a column like login_status, Once the user is login it will update to 1 and 0 for offline. If you the user closes the the browser without logging out. It will remain login, the user should ask the admin to log him out. The problem is we want to automatically logout the user by max of 30min idle time. I'm having a hard time how to do this.

有没有一种方法来禁用多个登录，并确定用户是否被闲置并自动登录他出去？我想关于cookie和session。

Is there a way to disable multiple login and determine if the user was idle and automatically log him out? I'm thinking about cookies and session.

推荐答案

访问者可以从多个位置同时登录的原因是因为每当他们登录ASP.net为它们分配相同的身份验证令牌。因此，在本身的认证令牌不允许你的位置之间恶心的用户在登录电子从

The reason a visitor can login from multiple locations at once is because whenever they login ASP.net assigns them the same authentication token. So the authentication token in itself doesn't allow you to disgusting between the location the user is loging in from.

有解决这个可能很多方式，但原则上，所有你需要做的是存储在用户的会话状态的一些身份信息，并检查了这对每个请求。

There are probably many ways around this, but in principle all you need to do is store some identifying information in the users session state and check this on each request.

例如，当他们登录你可以存储他们的IP地址的会话，然后为每个身份验证的请求检查请求来自本场比赛的IP IP。如果不注销用户。

For example when they login you could store their IP address in session, and then for every authenticated request check the IP the request comes from matches this IP. If not log the user out.

另外，如果IP是不是一个好足够的标识符（例如，如果用户登录电子是从复式电脑将共享IP地址在路由器后面），你可以添加一些识别信息的用户身份验证令牌，当他们登录。这里是如何做到这一点的教程：

Alternatively if IP isn't a good enough identifier (e.g. if a user is loging in from behind a router mutliple PCs will share IPs) you can add some identifying information to the users authentication token when they login. Here is a tutorial on how to do that:

的http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/

所以他们每次登录生成一个唯一的GUID时，它存储在会话和身份验证令牌。然后，对每个请求你比较两个不同的，如果你注销用户。

So each time they login you generate a unique GUID, store it in session and in the authentication token. Then on each request you compare the two and if different you log the user out.

这是一对夫妇的可能性 - 我敢肯定还有其他的。一个更好的方法可能是影响asp.net身份验证令牌本身当asp.net产生的，引入一些变化。但我不知道这是可能的 - 我做了一个简单的谷歌和无疾而终了。

These are a couple of possibilities - I'm sure there are others. An even better way may be to influence the asp.net authentication token itself when asp.net generates it, to introduce some change. But I'm not sure this is possible - I did a brief Google and nothing came up.

这篇关于登录安全：如何禁用多个登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！