当前位置: 文江博客话题详情

Django 应用程序中仅允许每个用户单个活动会话

发布于 2024-12-28 08:47:09 字数 3061 浏览 1 评论 0原文

我想限制登录用户只有一个活动会话,即如果用户使用新的 sessionid 登录,则应终止旧会话。 我已经找到了很多关于SO的帮助: 此处这里

我实现了中间件解决方案,进行一些额外的检查...

class OnlyOneUserMiddleware(object):
"""
Middleware to ensure that a logged-in user only has one session active.
Will kick out any previous session. 
"""
def process_request(self, request):
    if request.user.is_authenticated():
        try:
            cur_session_key = request.user.get_profile().session_key
            if cur_session_key and cur_session_key != request.session.session_key:
                # Default handling... kick the old session...
                Session.objects.get(session_key=cur_session_key).delete()
            if not cur_session_key or cur_session_key != request.session.session_key:
                p = request.user.get_profile()
                p.session_key = request.session.session_key
                p.save()
        except ObjectDoesNotExist:
            pass

到目前为止,一切顺利...在 Django 开发服务器(manage.py runserver)上一切正常,它会启动旧会话......

但是当使用 Apache 时(与 mod_wsgi),它不起作用!

我试图找到有关此的任何信息,但到目前为止没有运气...

我发现的最接近的是 这个,但这是一种“相反”的问题......

任何帮助将不胜感激。

编辑:我在删除会话之前添加了调试打印... 这是 Apache 的 error.log 中的一个片段:

[Fri Jan 20 09:56:50 2012] [error] old key = f42885ccb7f33b6afcb2c18fca14f44a
[Fri Jan 20 09:56:50 2012] [error] new key = ce4cfb672e6025edb8ffcd0cf2b4b8d1
[Fri Jan 20 09:57:14 2012] [error] old key = f42885ccb7f33b6afcb2c18fca14f44a
[Fri Jan 20 09:57:14 2012] [error] new key = 0815c56241ac21cf4b14b326f0aa7e24

前两个谎言来自我进入第一个会话(Firefox)时,

最后两个谎言来自我进入第二个会话(Chromium)时

......事实证明旧会话记录不会被删除...???

我正在运行与我在开发服务器上运行的完全相同的 PostgreSQL 实例...

Edit2:事实证明我的代码有错误...当在会话中找不到新的 Session_key 时它失败...

这是固定代码... try.. except 现在位于正确的位置

class OnlyOneUserMiddleware(object):
    """
    Middleware to ensure that a logged-in user only has one session active.
    Will kick out any previous session. 
    """
    def process_request(self, request):
        if request.user.is_authenticated():
            cur_session_key = request.user.get_profile().session_key
            if cur_session_key and cur_session_key != request.session.session_key:
                # Default handling... kick the old session...
                try:
                    s = Session.objects.get(session_key=cur_session_key)
                    s.delete()
                except ObjectDoesNotExist:
                    pass
            if not cur_session_key or cur_session_key != request.session.session_key:
                p = request.user.get_profile()
                p.session_key = request.session.session_key
                p.save()
原文

I want to restrict logged-in users to only have one active session, i.e. if the user logs in with a new sessionid, the old session should be terminated.
I found a lot of help on SO already:
here and here

I implemented the middleware solution, with a bit of extra checking...

class OnlyOneUserMiddleware(object):
"""
Middleware to ensure that a logged-in user only has one session active.
Will kick out any previous session. 
"""
def process_request(self, request):
    if request.user.is_authenticated():
        try:
            cur_session_key = request.user.get_profile().session_key
            if cur_session_key and cur_session_key != request.session.session_key:
                # Default handling... kick the old session...
                Session.objects.get(session_key=cur_session_key).delete()
            if not cur_session_key or cur_session_key != request.session.session_key:
                p = request.user.get_profile()
                p.session_key = request.session.session_key
                p.save()
        except ObjectDoesNotExist:
            pass

So far, so good... on the Django dev server (manage.py runserver) everything works properly, it kicks the old session...

...but when using Apache ( with mod_wsgi), it doesn't work!

I've tried to find any information about this, but no luck so far...

The closest I have found is this, but it is kind of the 'opposite' problem...

Any help would be much appreciated.

Edit: I added a debug print before deleting the Session...
here's a snippet from Apache's error.log:

[Fri Jan 20 09:56:50 2012] [error] old key = f42885ccb7f33b6afcb2c18fca14f44a
[Fri Jan 20 09:56:50 2012] [error] new key = ce4cfb672e6025edb8ffcd0cf2b4b8d1
[Fri Jan 20 09:57:14 2012] [error] old key = f42885ccb7f33b6afcb2c18fca14f44a
[Fri Jan 20 09:57:14 2012] [error] new key = 0815c56241ac21cf4b14b326f0aa7e24

the first two lies are from when I entered with the first session (Firefox)

the last two are from when I entered with the second session (Chromium)

... it turns out that the old Session record does not get deleted... ???

I'm running vs. the exact same PostgreSQL instance as I did with the devserver...

Edit2: It turned out that my code was buggy... it failed when the new Session_key wasn't found in Session...

here's the fixed code... the try..except is now in the correct place

class OnlyOneUserMiddleware(object):
    """
    Middleware to ensure that a logged-in user only has one session active.
    Will kick out any previous session. 
    """
    def process_request(self, request):
        if request.user.is_authenticated():
            cur_session_key = request.user.get_profile().session_key
            if cur_session_key and cur_session_key != request.session.session_key:
                # Default handling... kick the old session...
                try:
                    s = Session.objects.get(session_key=cur_session_key)
                    s.delete()
                except ObjectDoesNotExist:
                    pass
            if not cur_session_key or cur_session_key != request.session.session_key:
                p = request.user.get_profile()
                p.session_key = request.session.session_key
                p.save()

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

掐死时间 2025-01-04 08:47:09

确实到处都有很多类似的问题,但这是我的解决方案。

当用户登录时,检查所有活动会话并删除具有相同 user.id 的会话。对于较小的网站,这应该就可以了。

# __init__.py
# Logs user out from all other sessions on login, django 1.8

from django.contrib.sessions.models import Session
from django.contrib.auth.signals import user_logged_in
from django.db.models import Q
from django.utils import timezone

def limit_sessions(sender, user, request, **kwargs):
    # this will be slow for sites with LOTS of active users

    for session in Session.objects.filter(
        ~Q(session_key = request.session.session_key),
        expire_date__gte = timezone.now()
    ):
        data = session.get_decoded()
        if data.get('_auth_user_id', None) == str(user.id):
            # found duplicate session, expire it
            session.expire_date = timezone.now()
            session.save()

    return

user_logged_in.connect(limit_sessions)

There is indeed a lot of similar questions all over the place, but here is my solution.

When a user logins go over all active sessions and remove the ones with the same user.id. For smaller websites, this should do just fine.

# __init__.py
# Logs user out from all other sessions on login, django 1.8

from django.contrib.sessions.models import Session
from django.contrib.auth.signals import user_logged_in
from django.db.models import Q
from django.utils import timezone

def limit_sessions(sender, user, request, **kwargs):
    # this will be slow for sites with LOTS of active users

    for session in Session.objects.filter(
        ~Q(session_key = request.session.session_key),
        expire_date__gte = timezone.now()
    ):
        data = session.get_decoded()
        if data.get('_auth_user_id', None) == str(user.id):
            # found duplicate session, expire it
            session.expire_date = timezone.now()
            session.save()

    return

user_logged_in.connect(limit_sessions)
回复 原文
花桑 2025-01-04 08:47:09

尽管不推荐,但您始终可以使用此方法,但它确实有效。

my_old_sessions = Session.objects.all()
for row in my_old_sessions:
   if row.get_decoded().get("_username") == request.user.username:
      row.delete()

在对用户进行身份验证之前,您可以在 login() 函数中实现上面的代码。

当然,只有当您有一个 login() 函数方法将用户用户名存储在他的会话中时,这才有效,如下所示:

request.session["_username"] = request.user.username

如果您使用此方法,请记住在运行服务器之前清空所有会话的数据库。这些更改是因为它会引发 KeyLookUp 错误。

You can always use this approach though not recommended, it works.

my_old_sessions = Session.objects.all()
for row in my_old_sessions:
   if row.get_decoded().get("_username") == request.user.username:
      row.delete()

You would implement the code above in your login() function right before authenticating the user.

This of course only works if you have a login() function method that stores the USERS username in his session like follows:

request.session["_username"] = request.user.username

If you use this approach just remember to empty your database of all of your sessions before running your server after you've made these changes because it will raise KeyLookUp errors.

回复 原文
命硬 2025-01-04 08:47:09

我觉得 django.contrib.auth 信号在某种程度上可以有所帮助。登录时,使旧用户会话无效。

I feel that, somehow, django.contrib.auth signals could help here. On login, invalidate older user sessions.

回复 原文
~没有更多了~

关于作者

樱娆

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

tomoekana

文章 0 评论 0

无边思念无边月

文章 0 评论 0

眼角的笑意。

文章 0 评论 0

在风中等你

文章 0 评论 0

是你

文章 0 评论 0

syong71

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文