并发用户会话 - 为什么我们看不到更多并发用户会话?
这是一个咆哮,也是一个问题。
有些网站(例如 Facebook)您一次只想登录一个帐户。
但从博客网站到电子邮件,一切总是会迫使您先注销,然后才能登录另一个帐户。
我了解安全隐患,以及它如何使基于 cookie 的会话变得更加复杂,但为什么我们没有看到更多这样的情况呢?
为什么同时来自一个客户端的多个用户是一个坏主意?
This is something of a rant, as well as a question.
There are some sites, like Facebook, where you would only want to be logged into one account at a time.
But everything from blogging sites to email always force you to logout before you can login to another account.
And I understand the security implications, and how it would make cookie-based sessions a little more complex, but why don't we see more of this?
Why would multiple users from a single client at once be a bad idea?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我认为浏览器应该通过允许多个会话来实现这一点,每个会话都使用自己的 cookie/身份验证/等。
这可能是最好的解决方案,因为它似乎适用于所有网站,并且不需要对它们进行更新,而且,尽管我对此了解不多,但实施起来似乎并不是非常困难。
I think this is something that should be implemented by browsers by allowing multiple sessions, each using their own cookie/authentication/etc.
That would probably be the best solution, as it would seem to work for all sites, and require no updating for them, and, although I don't know much about it, it doesn't seem it would be terribly difficult to implement either.
简单的问题是大多数会话都是通过 cookie 实现的,没有 cookie 几乎没有办法做到这一点。
Cookie 的工作方式是它们绑定到域/路径,并且发送绑定到该域的所有 Cookie。
因此,如果您允许通过 2 个不同的 cookie 登录两次,问题将是每个连续的页面都会发送两个 cookie,并且看到这两个 cookie 的服务器不知道您正在充当哪个“用户”。
解决此问题的唯一方法是在所有链接周围传递“线程”标识(即将每个站点链接重写为
foo.bar?thread=2或thread=1来指示使用哪个会话),这完全是一场噩梦,更不用说安全隐患了。唯一真正的方法是通过浏览器沙箱,用户告诉浏览器给定选项卡和所有分支使用一个 cookie 集,而另一个选项卡和所有分支使用另一个 cookie 集。
从本质上讲,这不是一个网站可以实际解决的问题。
如果不将控制权委托给浏览器来实现,并且让用户手动指示他们何时想要分叉到新会话,那么实际上没有什么好方法来存储这些信息。
今天应该可以使用的单一浏览器解决方案:
The simple problem is most sessions are implemented via cookies, and there's pretty much no way to do it without cookies.
And the way cookies work, is they're bound to the domain/path, and all cookies tied to that domain are sent.
So if you permit logging in twice via 2 different cookies, the problem would be every successive page would send BOTH cookies, and the server seeing both has no idea which "user" you are acting as.
The only way around this is passing a "thread" identity around all links, ( that is, rewriting every site link on the fly to
foo.bar?thread=2orthread=1to indicate which session to use for things ), and that is a complete nightmare, not to mention security implications.The only real way to do it is via browser-sand boxing, the user tells the browser that a given tab and all offshoots use one cookie set, and the other tab and all offshoots use another.
In essence, its not a problem that can be solved by websites in a practical manner.
There's practically no good way to store this information without delegating the controls to how it works to browsers to implement, and for users to manually indicate when they want to fork into a new session.
Single Browser Solutions that should work today:
“为什么来自一个客户端的多个用户同时使用是一个坏主意?”
这根本不是一个坏主意,但是 HTTP 的使用迫使我们走这条路。
大多数客户端/服务器协议都是有状态的 - 客户端在握手期间只需要进行一次身份验证,然后会话由套接字连接表示。 如果失去连接,就会失去会话并必须重新进行身份验证。 这样,编写允许在一个进程中进行多个会话(作为相同或不同用户)的应用程序就变得很简单。
HTTP 是无状态的。 客户端需要以某种方式对每个请求重新进行身份验证。 身份验证信息通常存储在 cookie 中,这样一旦完成初始身份验证,用户就不必参与其中。 然而,Cookie 是全局的 - 不仅在进程中是全局的,而且通常跨应用程序的实例/调用。 因此,您只能进行一次会话。
您可能会认为 Web 应用程序设计者会将这种巨大的限制视为 HTTP 不是客户端/服务器应用程序开发的正确协议的标志。
"Why would multiple users from a single client at once be a bad idea?"
It is not a bad idea at all, but the use of HTTP forces us down this route.
Most client/server protocols are stateful - the client need authenticate only once during handshaking and then the session is represented by the socket connection. If you lose the connection, you lose the session and have to re authenticate. It is then trivial to write applications that allow multiple sessions (as the same or different users) in the one process.
HTTP is stateless. The client needs to re-authenticate in some manner with every single request. Authentication information is usually stored in cookies so that the user does not have to be involved once the initial authentication has been done. Cookies, however, are global - not just global with in the process, but generally across instances/invocations of the application. Hence, you are stuck with a single session.
You would have thought that web-app designers would have looked at this massive limitation as a sign that HTTP just isn't the right protocol for client/server application development.
多次登录的含义之一是如何管理权限。 假设我有两个帐户,一个具有删除用户帐户的权限,而另一个帐户没有此权限。
如果我可以同时登录两个帐户(以优先顺序为准),那么我是否拥有两个帐户的权限并集,还是仅拥有两个帐户所拥有的权限的交集?
如果我拥有权限联合,我是否有能力以赋予我太多权力的方式组合这些多个帐户的权限? 这对萨班斯-奥克斯利法案合规性意味着什么?
SQL 中也存在一个类似的问题,涉及“角色”,即一组特权。 在标准 SQL 中,允许给定帐户采用多个角色,但一次只能使用一个。 这可以防止您行使过多的特权。
One implication of multiple logins is how to manage privileges. Say I have two accounts, one has a privilege to delete user accounts and my other account lacks this privilege.
If I can be logged into both of my accounts simultaneously, which takes precedence, do I have the union of privileges from both accounts, or only the intersection of privileges held by both accounts?
If I have the union of privileges, would I have the ability to combine privileges from these multiple accounts in ways that give me too much power? What does this imply for Sarbanes-Oxley compliance?
An equivalent issue is seen in SQL, with respect to "roles" which are groups of privileges. In standard SQL, a given account is permitted to adopt multiple roles, but only one at a time. This prevents you from exercising too much privilege.
Cookie 状态锚定到主机标头...
使用不同的主机名或直接使用其 IP 地址连接到站点。 根据站点的不同,您也许可以为该站点设置一堆本地主机别名,以便您可以多次登录,因为每个别名都有自己的 cookie 状态。
如果站点重定向到自身以强制使用特定的主机标头,则别名将不起作用,并且您将需要使用多个浏览器。
Cookie state is anchored to the host header...
Use a different hostname or use its IP address directly to connect to the site. Depending on the site you may be able to setup a bunch of local host aliases to the site allowing you to be logged on more than once as each alias would have its own cookie state.
If the site redirects to itself to force a specific host header the aliasing won't work and you'll need to use multiple browsers.
自从你第一次写这个问题以来,IE 8 已经正式发布了,它有一个内置功能可以满足你的需求。 从“文件”菜单中,单击“新会话”。 这将打开一个新窗口,该窗口不会与原始窗口共享会话 cookie,从而允许您同时以不同的登录名登录到同一站点。
http://blogs. msdn.com/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx
Since you first wrote the question, IE 8 has been officially released and it has a built-in feature that does what you want. From the "File" menu, click on "New Session." This will open a new window that will not share session cookies with the original window, allowing you to be logged into the same site under different logins simultaneously.
http://blogs.msdn.com/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx
您可以通过创建新的配置文件在 Firefox 中执行多个会话 - 运行:firefox.exe -P 您可以在其中设置多个具有不同 cookie 的配置文件 - 您可以使用 firefox.exe 同时运行多个 Firefox 会话-P“配置文件名称”-no-remote 。 无遥控器将只允许每个会话 1 个窗口,但也允许同时多个会话。
You can do multiple sessions in Firefox by creating new profiles - run: firefox.exe -P which is where you can set up multiple profiles that will have different cookies - you can run multiple sessions of firefox at the same time by using firefox.exe -P "profileName" -no-remote . the no remote will only allow 1 window per session but will also allow multiple sessions at the same time.