The current demand is the app similar to QQ and other communication tools single user login to the rest of the login top off the previous login do not know how to achieve have done this?
Reply content:
The current demand is the app similar to QQ and other communication tools single user login to the rest of the login top off the previous login do not know how to achieve have done this?
Capture the device information that the app is in, bind the device information to the user, a user that is allowed to use on one device, and a user who kicks off the previous device when logged in.
The recent half-yearly design implements a single sign-on system (Tnsso), which is a very common system, but we have a lot of in-depth and detailed exploration of functionality and experience, here is a summary of the record. SSO also refers to the system below.
Tnsso for the PC version and mobile version of the various types of login, there is a regular mailbox account or mobile phone number login, there is the use of Sina, QQ and other accounts of the joint login, but also use mobile phone dynamic password login, in addition to different platforms also provide some characteristics of the login to enhance the user experience, For example, the open Company's share link can use authorization to log in directly, while on the PC page is a scan code login.
Now the mobile App page, many of them are directly embedded in the normal mobile page in the app, the app plays a browser, so the benefits do not have to say much. Because the app native page sign-in experience is better than opening the page in the app and logging in, we also keep the native page login in the app. Tnsso enables compatibility with the native login method of the app, which identifies the user's login status in the app. You can also use app scan to log in to the PC version of SSO.
The following is a single sign-on time series diagram, no longer explain, no contact before the view should also be able to understand how the same thing:
Security and experience
Tnsso has some very fine-grained considerations in terms of security and experience, and the maximum program optimizes the user experience in the context of ensuring system security.
1, the whole process of HTTPS, to prevent communication between the client and the server is eavesdropping.
2. Set the callback URL setting whitelist, the client subsystem access SSO must first register in SSO.
3, token one-time valid, and the client subsystem binding, immediately after use destroyed.
4, in order to enhance the user experience, every day the first 3 times per IP login, or each mobile phone number to send a dynamic password, no user need to enter a verification code.
5, a verification code repeatedly sent mobile phone dynamic password more than 3 times after the failure.
6, etc...
Compatible App Login
The app's user login information is stored separately in the app, and does not use the public login service provided by SSO. Then the user through the app to access the embedded page, how to know the user's login status, how to implement the embedded Web page and app login status sharing?
Our solution is that when the app accesses the embedded page pagea that requires login, PageA 302 jumps to the SSO login page, which is done in the app, and the app adds a hash value to the cookie when it accesses the SSO login page. SSO after receiving the request to determine whether SSO itself is logged on, if not the hash value in the cookie to the app server request user ID, after the user ID is taken to generate user login information, and then take the token jump PageA system Weba callback URL, Weba Repeat the login process above to log in. If the hash value is empty or the user ID retrieved from the app server is empty based on the hash value, jump to a URL to be hijacked by the app and repeat the process after the app has completed logging in.
The app sets a hash value in the cookie instead of setting the user ID directly, for security reasons, the SSO self-tuning interface retrieves the user ID from the app server to ensure legitimacy and is trustworthy.
The timing diagram is as follows:
Scan Code Login
Scan code login is a popular practice now, the user has been in their own mobile phone or other mobile device has been logged in, and this is trustworthy, use it to provide a shortcut to the PC login, simple and quick experience good, users do not need to enter a lengthy and complicated user can not remember the password. So this kind of login method is also we must provide, although not yet officially released on-line, but has already planned the design.
The specific implementation is that the SSO server randomly generated a conflict code into the database, and it was drawn into a QR code image displayed on the PC version of the login page, the page using JavaScript Short polling method to the server to query the code of the corresponding login information. The app uses the built-in sweep function to identify the code in the image, and then requests the SSO interface via the app server using the hash value of code and the user login information mentioned above as a parameter. SSO after receiving the request to determine whether this code in our database is not present, the existence of the request is legitimate, and then the hash value to request the app server to obtain the user ID, the following process is the above with the app login connected almost. JS polls to refresh the page after the user has logged in, or to jump back where it came from.
Finally, Tnsso in fact not only provides a unified login service, but also integrates user registration, password recovery and other functions, so called pass system is more appropriate, is the company's stability and security requirements of the highest system.
Http://atlantisplus.net/articles/570.html
Look at the upstairs to get so much, a look is copied, log on successfully log timestamp and set the cookie based on the timestamp, parse the cookie at login and compare time stamp. is to make a token, whenever the login successfully updated this token
A binding UID and device, as said upstairs, each operation detects if the UID and the current device match
There is also a third party using the ring letter, providing a single sign-on function, callback processing, do not need to do long-link