ASP.NET 会员资格的正确 100% IsOnline 实施
我必须设计一个 CMS,其中一组凭据只能使用一次。 因此,如果用户从他的计算机登录,则在该用户注销之前,没有人可以使用他的凭据从其他位置登录。
现在使用开箱即用的 asp.net 成员资格提供程序,IsOnline 方法返回一个布尔值,反映超时窗口与上次活动日期的关系。 这对我来说不是一个可行的选择,因为如果用户在登录后关闭浏览器,IsOnline 仍然为 true。 但他的会话将被销毁(假设他没有使用“记住我”),因此如果他尝试在其他地方登录,它会说“抱歉,您仍然登录”。
有没有什么硬性和快速的选择来做到这一点......?
我正在考虑强制用户被“记住”,这样当他登录时,布尔值“IsReallyOnline”将被设置为 true,反之亦然,当他注销时。虽然这个选项有它的局限性,(人们关闭 cookie,而不是注销并关闭浏览器,然后 sum1 else 出现,浏览器访问该网站,他已登录等等......)这似乎是目前最可行的?
有什么建议么?
提前致谢
I have to design a CMS where a set of credentials can only be used once. So if a user has logged in from his computer, no-one can login with his credentials from another location until that user logs out.
Now using the asp.net membership provider out the box, the IsOnline method returns a boolean that reflects the timeout window vs. the last activity date. This is not a viable option for me, because if the user just closes the browser after logging in, IsOnline will still be true. But his session will be destroyed(assuming he's not using Remember Me) so if he tries to log in somewhere else it will say "Sorry you still logged in".
Are there any hard and fast options for doing this..?
I was thinking of forcing the users to be "Remembered" so when he logs in a boolean "IsReallyOnline" will be set to true and vice versa when he logs out.. Although this option has it's limitations, (people turn off cookies, not logging out and closing the browser then sum1 else comes and browser to the site and he's logged in etc....) it seems like the most viable for now?
Any suggestions?
Thanks in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您实际上要求的东西超出了网络的范围。 HTTP 协议根据定义是无状态的,这意味着在任何时候; 服务器永远不需要知道客户端是否仍然存在。 Web 服务器编程语言(例如 php / asp.net mvc)的较新/较旧实现在很大程度上避免存储有关已连接/活动客户端的任何状态。
要问自己的一些问题包括:
用户可以在页面上“活跃”多长时间而不导致回发? 基于 JavaScript 的页面可以允许用户在发生任何类型的回发之前以交互方式使用页面相当长的时间。
用户将通过代理或缓存服务器吗? 在这种情况下,来自“不同”用户的多个请求可能来自同一台计算机。
您的应用程序将仅在一台计算机上运行,还是在一个服务器场上运行? 您需要确保负载平衡(例如)不会将不同的用户转移到允许多次登录的不同服务器上。
用户在同一台计算机上合法使用两个不同的浏览器怎么样? 这是允许的吗?
有人可能会认为您的问题源于考虑到您的要求而尝试使用错误的技术? 也许编写一个直接连接到服务器的客户端应用程序会更“安全”? (是的,我知道这是一个巨大的麻烦,但如果您的一个用户/一个登录要求是绝对的,也许您可以探索这一途径?)
哦,好吧,一个网络解决方案
对于以 http 为中心的解决方案,您可以尝试使用 javascript计时器每 X 秒向您的服务器发出一次请求,以指示会话仍处于活动状态。 只要浏览器打开并且网络连接有效,您就应该收到这些“ping”。 会话通过 httprequest 传递的 cookie 保持打开状态。
您将能够对“ping”页面进行编码,将用户详细信息存储到应用程序对象或您选择的某个会员提供程序中,然后在客户端尝试登录时询问该提供程序。
这将需要相对较短的超时在会话或其他机制上,以确保崩溃的浏览器不会将您的合法用户锁定太久。
请注意:如果用户没有打开 javascript,这将严重失败(不要假设他们会打开!)
You are really asking for something that is outside of the remit of the web. The HTTP protocol is by definition stateless, meaning that at any one time; a server never need know if a client still exists. The newer/older implementations of web server programming languages (e.g. php / asp.net mvc) for the most part shy away from storing any state about connected/active clients.
Some things to ask yourself include:
How long may a user be 'active' on a page without causing a postback? Javascript based pages may allow for a user to interactively be using a page for quite some time before any kind of postback happens.
Will the users be going through a proxy or caching server? Multiple requests from 'different' users may come from the same machine in this case.
Will your application be running on one machine only, or maybe a server farm? You'll need to ensure that load balancing (for example) doesn't punt different users onto different servers allowing multiple logins.
How about a user legitimately using two different browsers on the same machine? Is this to be allowed?
One might suggest your problem here stems from trying to use the wrong technology given your requirements? Maybe writing a client application which uses direct connection to your servers would be more 'secure'? (Yes I understand this is huge hassles but if your one user / one logon requirement is absolute maybe you could explore this avenue?)
Oh alright, a web solution
For a http centric solution you could try a javascript timer making a request to your server every X seconds to indicate that the session is still active. As long as the browser is open and the network connection valid you should be getting these 'pings'. The session is kept open by the cookie passed by the httprequest.
You'll be able to code the 'ping' page to store the user details into either the application object or some membership provider of your choice then interrogate this provider whenever a client attempts to log in.
This will require a relatively short time-out on a session or some other mechanism to ensure that a crashed browser doesn't lock your legitimate user out for too long.
Please note: This will fail horribly if the user doesn't have javascript turned on (Don't assume that they will have!)
快速选项:将 IsOnline 存储为会话。
检查会话是否为真,然后允许。 如果没有,就不允许。
如果用户关闭浏览器,他将在会话中注销。
Fast Option: Store IsOnline as a session.
Check if session is true, then allow. If not, don't allow.
If user closes browser, he will be logged outas its in a session.