Is there any way to limit a user's login access to only, say, 5 IP addresses daily? Such that if a user account tried to login in the same day from a 6th different IP address, they would be denied. I would like this restriction to reset at the end of the day, however.
If Authlogic doesn't provide a way to track this out of the box, what ideas do you have about how I should implement this? As you can probably tell, I'm already using Authlogic for authentication.
My main goal is to limit my user's ability to share their login with a non-registered user; I know that most people's IP address will change periodically throughout the day because hardly anyone has a personal static IP, but I think 5 is a fair number of allowances, even taking into account that a user may visit my site on their iPhone, or at Starbucks, etc.
Thoughts?
UPDATE: After reading through many of the comments on the link provided by @tadman, I'm thinking that it might be more useful to limit the number of new sessions created on a machine that had none previously instead of by IP address. If I understand how Authlogic works, sessions are a combination of server-side records and a cookie in the user's browser, correct? If I "log out" of my开发者_如何学Python site, the cookie is still there in my browser, is it not? Just with an expired value or something like that. Can I test against that? Such that if a computer that doesn't have that cookie at all I would consider to be a completely NEW login, and I would limit the number of new logins to 5 a day? Would that be feasible approach?
See this user's comments about rate limiting by IP for an angle on what I mean: http://simonwillison.net/2009/Jan/7/ratelimitcache/#c43031
Although you can track this in a database, a more lightweight solution is to track this using Memcached. This allows you to do other things, like limiting login rates and restricting the number of unique IPs a person may visit from over the course of a given time.
The nice thing about Memcached is it will automatically expire records after a specified period of time. With the database-driven approach you will have to do this yourself.
Example: http://simonwillison.net/2009/Jan/7/ratelimitcache/
I'd probably create a table called sessions, which contains ip_address, logged_in_at, user_id. You'd do something like this when a user logs in:
session = current_user.sessions.build(:ip_address => ip_address)
if session.valid?
session.save!
redirect_to root_url
else
redirect_to you_cant_login_url
end
In your session.rb, you'd have
class Session < AR:B
belongs_to :user
validate :hasnt_logged_in_a_bunch
protected
def hasnt_logged_in_a_bunch
if self.user.sessions.count(:conditions => ['logged_in_at > ?', Time.now.start_of_day]) > 5
self.errors.add_to_base("You've logged in too many times")
end
end
Sorry if this is a bit ugly and isn't valid code, but it should hopefully point you in the right direction.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论