If you do not have session control, will appear in the web application in this case, A sign in the account, B also log the account is the same account, A revised information, B will see the information changes, so the user experience bad, B will feel I have not changed ah, why the information will change. And after doing session control, A first login, then log B, then B will login A squeeze off the assembly line.
Realization of ideas: The timestamp comparison
1 First, a user logs in, the background is not required to do blocking, the front desk the user names and passwords passed the background, the background generated JWT format token to the front, and with token as a key, the user information stored value in redis
2 Other url path, the filter intercepts the request, to determine whether they carry the front desk token, or carry a token, but has been ineffective (redis in finding out) will return an error message directly to the front desk, this time will be the username key, redis query from the token, not just for the user to key name, value as a token into redis. release request, if the token redis query and pass from the front desk came the same token, the release request, token if a query from redis and pass coming in from the front desk is not the same token, if you pass a token from the front desk of the timestamp is greater than the redis, redis cover the token is denying cancellation token, return to your login account already in the other device, intercepts the request.
public class CompareKickOutFilter extends KickOutFilter { @Override public boolean isAccessAllowed(HttpServletRequest request, HttpServletResponse response) { String token = request.getHeader("Authorization"); String username = JWTUtil.getUsername(token); String userKey = PREFIX + username; RBucket<String> bucket = redissonClient.getBucket(userKey); String redisToken = bucket.get(); if (StringUtils.isBlank(redisToken)) {// 第一次设置 . bucket SET (token); } the else IF (token.equals (redisToken)) { // the same token return to true ; } the else { Long redisTokenUnixTime = JWTUtil.getClaim (redisToken, " createTime " ) .asLong (); Long tokenUnixTime JWTUtil.getClaim = (token, " createTime " ) .asLong (); IF (tokenUnixTime.compareTo (redisTokenUnixTime)> 0 ) { // passed in is the latest token from now, overwrite the old token bucket. the SET (token); } the else { // log off the current token userService.logout (token); sendJsonResponse (the Response, 4001 , " Your account has been registered in other equipment " ); return false ; } } return to true ; } }
Project structure:
Project Address: https://github.com/jake1263/loginCtl