如何限制在 Django 中登录到同一帐户的并发用户数 [英] How to limit number of concurrent users logging in to same account in Django

问题描述

我的网站是一个用 Django 编写的数字市场网站.

My site is a digital marketplace website written in Django.

默认情况下，网站上的数字内容(文本、图像、视频)被锁定".只有购买了这些内容的用户才能查看.

Digital content(text, images, videos) on the site is 'locked' by default. Only users who bought those content can view it.

有一个故事，某个用户(购买了内容)免费将用户名/密码赠送给很多人(例如，Facebook 群组中的 1,000 多人).然后，这 1,000 名用户可以使用该单一用户名/密码登录并查看锁定"的数字内容，而无需支付一分钱.

There's a story that certain user(who bought the content) give away username/password for free to many people(1,000+ people in Facebook groups, for example). Those 1,000 users can then login using that single username/password and view the 'locked' digital content without paying a cent.

是否可以限制同时登录同一帐户的次数?

Is it possible to limit number of concurrent login to the same account?

我找到了这个包:

https://github.com/pcraston/django-preventconcurrentlogins

但是当有人使用相同的用户名/密码登录时，它的作用是注销前一个用户.这无济于事，因为每个用户每次只需输入用户名/密码即可访问锁定"内容.

but what it does is logging previous user out when someone logged in using the same username/password. That would not help because each user only need to type in username/password each time to access 'locked' content.

推荐答案

要限制并发用户，请留意现有的 会话.

To limit the concurrent users, keep an eye on the existing sessions.

在您当前的方法中，当用户登录时，会创建一个新会话.该新会话与旧会话共存，因此您同时有 N 个并发会话.

In your current approach, when a user logs in, a new session is created. That new session co-exists with the older sessions, so you have N concurrent sessions at the same time.

您希望允许单个会话.最简单的方法是在发生新登录时使旧会话无效:

You want to allow a single session. The easiest approach would be to invalidate older session when a new login happens:

• 检测/扩展登录事件(使用user_logged_in" 信号)
• 对于每次登录，从同一用户中删除其他现有会话(请参阅 "清除会话存储")

• detect/extend the login event (use the "user_logged_in" signal)
• for each login, remove the other existing sessions from the same user (see "Clearing the session store")

其他(更完整但更复杂)的方法是使用 双因素身份验证、按 IP 阻止、限制登录事件、需要电子邮件确认等...

Other (more complete, but more complex) approaches would be using Two-factor authentication, blocking per IP, throttling the login event, requiring email confirmation, etc...

这篇关于如何限制在 Django 中登录到同一帐户的并发用户数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！