每个用户只允许一个会话 [英] Allow only one session per user
问题描述
我们有一个使用struts2开发的web应用程序,spring& hibernate。
We have a web-application developed using struts2, spring & hibernate.
应用程序需要一个用户只能从一个浏览器登录的功能。
The application needs a functionality that one user can login from only one browser.
说是否用户x,登录到pc-1浏览器ff,然后他无法从任何其他地方登录。
Say if user x, is logged in on pc-1 browser ff, then he cannot be logged in from any other place.
我通过实施会话地图尝试了它并将会话存储在全局映射,但是当用户注销并尝试再次登录时,这会失败。
I tried it by implemention session map and store the sessions in global map, but this fails when user logs off and tries to login again.
如果用户没有注销和会话超时,即使它严重失败,但是地图未清除。
Even it fails critically if the user does not logs off and session time-outs, but the map is not cleared.
实现此功能更好。
我们不想阻碍用户登录但不希望用户通过允许用户共享信用卡并允许多个用户进行相同登录来利用该应用程序。
We do not want to obstruct the user to login but do not want users to exploit the application by allowing him to share the creditionals and allow multiple users with same login to happen.
推荐答案
由于您已经在使用Spring,我建议您将应用程序与Spring Security集成。
Since you are already using Spring, I would recommend you to integrate your application with Spring Security.
Spring security允许您定义maximu每个用户同时允许m个会话。
Spring security lets you define maximum sessions allowed per user concurrently.
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
如果在有效会话的用户尝试再次登录时设置,则会通知用户已设置最大并发访问权限到1。
If set when user having valid session tries to login again it will inform user that maximum concurrent access is set to 1.
了解更多在。
如果弹簧安全性不适合你,那么:
If spring security is not an option for you then:
-
使用
SessionInterceptor这将检查会话的有效性,如果会话是有效它将检查用户是否已登录到应用程序(为此,您将必须在某处维护会话,例如每次成功登录时为数据库),如果找到有效登录,则将用户再次重定向到具有自定义消息的登录页面,或者注销已经有效的会话,然后重定向他再次登录。如果您注销早期会话,则意味着该浏览器会话中的任何连续操作都必须处理无效会话。
Use a
SessionInterceptorwhich will check for session validity, if session is valid it will check if user is already logged in to the application (for this you will have to maintain session somewhere for eg database for every successful login), if valid login is found, redirect user again to login page with custom message, or logout already valid session and then redirect him to login again. If you logout earlier session it would mean any successive action in that browser session will have to deal with invalid session.
如果您正在使用<$ c您的应用程序中的$ c> Servlet 然后Interceptor将无法为您工作,在这种情况下,您应该使用过滤器并按照上面详述的相同步骤操作拦截器。
If case you are also using Servlet in your application then Interceptor wont work for you, in this case you should use a Filter and follow the same steps as detailed above for Interceptor.
这篇关于每个用户只允许一个会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
