Only one user is allowed to log on to the system and one user is allowed to log on to the system on the same computer.

Only one user is allowed to log on to the system and one user is allowed to log on to the system on the same computer.
In web application systems, for security reasons, it is often necessary to limit the number of users logging on to the same client and the number of users logging on to multiple clients at the same time. Specifically:

1. Only one user can log on to the system on the same computer at a time. 2. One user can only log on to one client at a time.

A system I recently developed has encountered such a problem. The system has been developed, but the security evaluation has not passed, because there are no restrictions. How can this restriction be implemented? I have been searching for this online for a long time and found that many people have asked this question, but I have not found any clear answer. Later, I found myself, read some books, and finally found a solution.

It is not difficult to solve this problem. It may be too difficult for the experts to talk about it, but it may be difficult for people who are not familiar with web programming for a long time. Next I will explain my solutions for your reference!

First, let's introduce the background of my system: j2ee, tomcat, and no cookie.

First, determine the basic ideas for solving these two problems:

1. There is only one way to allow only one user to log on to the system on the same computer. Monitor the source of each connection. If a new connection and an existing connection come from the same computer, terminate one of them (you can also remind the user, let him decide which one to terminate ).

2. to prohibit a user account from logging on to different clients at the same time, only the user account that monitors each connection must be disabled, if you find that the user account for a new connection is the same as the user account for an existing connection, the previous one is automatically terminated (you can also decide which one to terminate ).

After determining the basic idea, we need to find a specific method. My initial idea was to create a table in the database to store the username, physical address, Session id, and other information of the logged-on user. When a user logs on, it matches the data in this table. If the physical address is the same as a record in the table, it indicates that multiple users log on to the same client, if you find that the username of the user you are logging on to is the same as that in the table, but the host name is different, it means that an account is used on different clients at the same time.

I believe that many people who encounter this problem will consider this solution. However, there are many problems with this method. There are two major problems: efficiency. Each time, data is retrieved from the database for matching. The second is that you need to delete the records in the table when exiting, but it is difficult to monitor the records in a timely manner when the user exits abnormally (it was found that there was a way to monitor the records later ).

Later, in a post on the Internet, I saw a Daxia talking about using a listener, but the Daxia was too vague to solve the problem. Although it cannot be solved, it provides an idea. So I found a book and carefully read the part about the listener. The solution is here !!!

For more information about listeners, see my next blog. Here we will first tell you the solution:

The listener can listen to the Session and its attributes, that is, Attribute.

So what we need to do is:

1. Create a listener to implement the HttpSessionAttributeListener interface and listen on adding, editing, and deleting events for each Attribute. The listener also creates a map to put all sessions into this map.

2. When a user logs on, the user name, physical address, and Session id are stored in the Session (a user login address data transmission object can be created. I created a UserSessionAdd class, which contains username, macAdd and sessionId attributes. When a user logs on, the data object is initialized and stored in the session ).

3. When each new Session is enabled, the listener determines the attributes contained in the session. If the new attributes are the same as the user logon address data of the existing Session in the map, it indicates that the new session conflicts with the two restrictions we have to make. Extract conflicting sessions and destroy them!

This is not clear enough. Let's look at the code below:

Web. xml

<Listener>
<Listener-class> complete listener path </listener-class>
</Listener>

 

User Login address data transmission object:

Public class UserSession {

Private String addr;

Private String sessid;

Private String username;

Public String getAddr (){
Return addr;
}

Public void setAddr (String addr ){
This. addr = addr;
}

Public String getSessid (){
Return sessid;
}

Public void setSessid (String sessid ){
This. sessid = sessid;
}

Public String getUsername (){
Return username;
}

Public void setUsername (String username ){
This. username = username;
}

}

 

User Logon code:

HttpSession session = request. getSession ();

String userHost = request. getRemoteHost ();

String sessionId = request. getSession (). getId ();

UserSession userSession = new UserSession ();

UserSession. setUsername (user. getUsername ());

UserSession. setSessid (sessionId );

UserSession. setAddr (userHost );

Request. getSession (). setAttribute ("userSession", userSession );

 

Listener code:

Import java. util. HashMap;
Import java. util. Map;

Import javax. servlet. http. HttpSession;
Import javax. servlet. http. HttpSessionAttributeListener;
Import javax. servlet. http. HttpSessionBindingEvent;

Public class LoginListenner implements HttpSessionAttributeListener {

Map <String, HttpSession> map = new HashMap <String, HttpSession> ();

Public void attributeAdded (HttpSessionBindingEvent event ){
String name = event. getName ();

If (name. equals ("userSession ")){

UserSession userSession = (UserSession) event. getValue ();

If (map. get (userSession. getUsername ())! = Null ){

HttpSession session = map. get (userSession. getUsername ());

Session. removeAttribute ("userSession ");

Session. invalidate ();
}
Map. put (userSession. getUsername (), event. getSession ());
}

}

Public void attributeRemoved (HttpSessionBindingEvent event ){
String name = event. getName ();

If (name. equals ("userSession ")){

UserSession userSession = (UserSession) event. getValue ();

Map. remove (userSession. getUsername ());

}
}

Public void attributeReplaced (HttpSessionBindingEvent event ){
// TODO Auto-generated method stub

}

}



How can JSP be used as a website to restrict only one user to log on to the same computer at a time?

Use computer machine code as the identification for user logon.
Only one session can exist for the same ID.
Similar to QQ, login to two identical numbers will have one forced to go offline.

Asp does not limit that the same user can log on to the same website on the same computer.

There are three solutions, but they are not very good at implementation.
1. Use cookies to record the user's logon status. The server generates a verification code and stores it in the cookies of the client. The server reads the cookie value of the client to determine whether to log on to the website for the first time. The disadvantage is that the storage does not last long. Once the cookies expire or the user deletes or closes the cookies, they cannot be used again.
2. Determine based on the user IP address. This works well, but it is not suitable in China. Domestic Internet users are basically using ADSL dialing, and each connection will change to a new IP address. However, LAN performance is good.
3. Write a control to install it on the client. The client sends some authentication information of the client host to the server through the control, such as the serial number of the hard disk. Although this item can solve the problem well, most netizens are reluctant to install a component.