JP2008242676A - Web login restriction system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a web login restriction system capable of flexible login restriction. <P>SOLUTION: The web login restriction system comprises a plurality of user terminals and a server connected to the plurality of user terminals via a network. The system includes a login accepting means for accepting a login from either of the plurality of user terminals via the network, a login number calculation means for calculating the number of current logins, and an acceptability determining means for determining whether or not a login from the user terminal is acceptable based on the number of logins calculated by the login number calculation means and an upper limit for logins that is previously stored in a storage means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

The present invention relates to a web login restriction system used in a portal system such as an educational institution.

  When applied to educational institutions such as universities, the busy and quiet periods according to the academic calendar, such as the registration period, entrance examination period, and employment period, are conspicuous. Investment in infrastructure facilities that match peak usage remains unaffected. In addition, due to the nature of information handled by universities (personal information, results information, etc.), infrastructure facilities of external organizations cannot be used, so infrastructure facilities are maintained and managed as a university within a limited budget. The reality is.

  Students' system usage has also changed with the recent trend toward broadband networks, and it can be used not only from within the university, but also from outside the university, at home, from a mobile phone, etc. according to your life rhythm. It has become a form. In addition, unlike companies, there is a background in which setting of client PCs and operating OS cannot be forced on students (homes).

  This limited peak usage period is based on the above-mentioned changes in usage patterns and environments, and needs to efficiently and flexibly and stably operate system facilities without maximizing user frustration. There is.

  As a system for solving this problem, a system has been proposed in which web access is identified by a session ID and access is restricted by the number of simultaneous sessions. For example, in a system as shown in Patent Document 1, it is possible to acquire a session ID using Coockie and manage the number of sessions.

JP 2004-127172 A

  The Coockie used in the conventional login limit system is stored on the client side as a file on the browser being used. Coockie stores values, valid domains, etc., causing tampering and privacy issues.

  In addition, since the conventional login number limiting method is based on the number of requests, it is difficult to maintain an accurate number of logins when there is a user who ends a session with a browser close button.

  The object of the present invention is to maintain the number of logins permitted for authentication and information thereof in a web system with user authentication, and to prevent login even if authentication is successful when there are more than a certain number of login requests. It is to realize an environment for providing continuous web services to already logged-in users. Naturally, since the web system is a system in which the number of users changes according to the day of the week or the time zone, the pattern information is held and flexible operation is possible.

  In order to solve the above problems, the web login restriction system of the present invention includes a server accessed from a user terminal. The server includes software having a web service, a program having an authentication function, login information, a database for storing login restrictions, a program for counting the number of logins, and a program for periodically resetting login information. Here, the aggregation process may count the number of logins.

In the normal processing method of the web login restriction system of the present invention, the user accesses the login screen of the server from a terminal used by the user. The server refers to the database that stores login restrictions every time the login screen is accessed. At this time, the login restriction may be a storage medium such as a file. The maximum number of valid flags, day of the week, time zone, maximum number of logins, clear elapsed time, restricted IP address, and usable area are stored in the login restriction. In addition, a maintenance flag may be stored. The day of the week item may store a period and season based on the date. The server compares the restriction information with the result of the aggregation process, and stores the login information for access that has cleared the restriction condition in the storage medium. Remote IP address, referer, and FQDN are used to determine the access source (Internet, mobile phone, intra). The login information stores an ID for identifying the user, a nomination, an IP address, HTTP header information, a login date, and a last request date. After login, the last request date is updated every time the user accesses the web system.
On the other hand, the server periodically checks the usage status of each user through the login information reset program, and deletes from the login information information of users whose clear elapsed time has elapsed since the last request time.

  Also, whenever the user accesses the system, the login information database is referred to, and when there is no user information, it is treated as logout. If there is a maintenance flag, it may be treated as forced logout.

  When the service is restarted, all records in the login information database are cleared.

  As described above, according to the web system login restriction system of the present invention, it is possible to impose a use restriction not by the number of requests to the web server but by the number of logins and to operate the load. In addition, IP addresses that are exempt from restrictions can be set up to handle urgent logins. In addition, by using the maintenance flag, new login can be suppressed while the user process currently logged in is continued.

  FIG. 1 is a configuration example according to the web login restriction system of the present invention. A user temporarily stores information in memory 101, communication means 102 for transmitting / receiving information to / from other devices on the network, CPU 103 as an arithmetic processing unit, main storage device 104 for storing information, input interface such as a keyboard 105, an apparatus 100 including an output interface 106 such as a display and web browsing software 107 for browsing a web page is used. A user uses the web browsing software 107 to access the server 200 from the communication means 102 through the intra and the Internet. The server 200 installed in the intra is a memory 201 for temporarily storing information, a communication means 202 for transmitting / receiving information to / from other devices on the network N, a CPU 203 as an arithmetic processing device, and a main storage device for storing information 204, an input interface 205 such as a keyboard, an output interface 206 such as a display, a storage medium reading device 207 that acquires information from a read-only storage device such as a ROM, web service software 208 that cooperates with the program, a login restriction DB 300, and a login information DB 400 Prepare.

  FIG. 9 is an example of a login restriction database 300 and a login information database 400 used in the web login restriction system of the present invention.

  Each item of the login restriction database 300 will be described. The active flag 301 stores an invalid / valid flag. If the invalid flag is stored, login restriction is not performed. The day of the week 302 stores the day of the week, date, period, and season. Match the date when the system was accessed. The time zone (From) 303 and the time zone (To) 304 store the time zone in which login is restricted. Match the time zone when accessing the system. The login upper limit number 305 stores the upper limit number that can be simultaneously connected to the system. If the number of logins reaches the upper limit, login restriction is performed. The clear elapsed time 306 stores the time from when the user last accessed the system until it is cleared. The available area 307 stores an area connectable to the system. Restricted exclusion IP308 stores an IP address and stores an IP address that is not subject to login restrictions, and responds to an emergency access request. The maintenance flag 309 stores an invalid / valid flag. If it is valid at the time of access, login is restricted. If there is a system user, you can restrict subsequent logins by switching the maintenance flag.

  Each item of the login information database 400 will be described. The user ID 401 stores the system usage ID of the user who has successfully logged in. IP 402 stores the IP address of the user terminal. The HTTP header 403 stores HTTP header information transmitted from the browser of the user terminal. The login date and time 404 stores the login success date and time. The last request date and time 405 stores the date and time when the user last accessed the system.

  Next, the flow of the entire work including authentication when the user accesses the server will be described with reference to FIG. The user transmits a request for the TOP page to the server 200 using the user terminal 100 (step S201). The server 200 acquires the IP address of the user terminal 100 (step S202). The server 200 reads the login restriction database 300 and acquires restriction information corresponding to the day of the week 302 of the login restriction database 300 from the system date (step S203). It is confirmed whether the maintenance flag 309 of the corresponding restriction information is valid (step S204).

  For example, if the IP address of the user terminal 100 is 192.168.1.100 and access is made at 10:00:00 on Monday, the server receives the request (step S201) and acquires the IP address of the user terminal (step S201). S202), the restriction information of item number 1 in the login restriction database 300 is acquired from the system date (step S203).

  If the maintenance flag 309 is valid, an error message is determined (step S214). An error screen is displayed (step S215), and the process ends (step S216).

  For example, if the access date is the spring period, the record of item number 3 in the login restriction database is acquired, and the maintenance flag 309 is valid, so an error message is determined (step S214). An error screen is displayed (step S215), and the process ends (step S216).

  If the maintenance flag is invalid 309, it is confirmed whether the active flag 301 is valid (step S205).

  If the active flag 301 is invalid, an authentication screen is displayed (step S211).

  When the active flag 301 is valid (step S205), the restriction exclusion IP address 308 is confirmed (step S206).

  If it is included in the restriction release IP address 308, an authentication screen is displayed (step S211).

  If the IP address 308 is not included in the restriction release IP address 308, it is confirmed whether the access is included in the time zone (From) 303 and the time zone (To) 304 (step S207).

  If the access of the system date is not included in the time zone (From) 303 and the time zone (To) 304, an authentication screen is displayed (step S211).

  If the access of the system date is included in the time zone (From) 303 and the time zone (To) 304, it is confirmed whether the access is from the available area 307 (step S208).

  If the access is from other than the available area 307, an error message is determined (step S214). An error screen is displayed (step S215), and the process ends (step S216).

  If the access is included in the available area 307, records are collected from the login information database 400 to obtain the number of logins (step S209).

  If the number of logins has reached the login upper limit number 305, an error message is determined (step S214). An error screen is displayed (step S215), and the process ends (step S216).

  If the number of logins has not reached the maximum number of logins 305, an authentication screen is displayed (step S211). Authentication is performed (step S212), and if it fails, the process ends (step S216). If the authentication is successful, the user ID 401, IP 402, HTTP header 403, login date / time 404, and last request date / time 405 are written in the login information database 400 (step S213), and the process ends (step S216).

  FIG. 3 illustrates a flow of login information reset processing periodically executed by the server. A login information reset program is executed at regular intervals (step S301). The login restriction database 300 is read (step S302), the day of the week 302, the time zone (From) 303, and the time zone (To) 304 are searched from the system date of the server, and the clear elapsed time 306 of the corresponding restriction information is obtained (step) S303). Of the records in the login information database 400, a record in which the difference between the server system date and the latest request date 405 exceeds the clear elapsed time 306 is deleted (step S304), and the process is terminated (step S305).

  For example, if the system date is 2007/03/02 15:50:40, the conditions apply to the day 302, time zone (From) 303, and time zone (To) 304 in the login restriction database, item 2, and clearing has elapsed. Times 306 and 50 min are acquired (step S303). Of the records in the login information database 400, the record of item number 1 exceeding the clear elapsed time 306 is deleted (step S304), and the process is terminated (step S305).

  FIG. 4 illustrates the flow of access information registration processing executed every time a user accesses the system. An access information registration program is executed every time a user accesses a web page in the system (step S401). The login information database 400 is read (step S402), and it is searched whether the user ID 401 and the IP 402 of the user terminal exist (step S403). If the record exists, the last request date / time 405 of the login information database 400 is updated to the current date / time (step S404). If no record exists, an error message is displayed (step S405), the TOP screen is displayed (step S406), and the process is terminated (step S407).

It is a block diagram concerning the web login restriction system of the present invention. It is a processing flow at the time of server access of this invention. It is a processing flow of login information database reset in this invention. It is a processing flow of access information registration in the present invention. It is an example of the authentication screen in this invention. It is an example of the error screen at the time of accessing from the outside usable area in this invention. It is an example of an error screen when the login upper limit in this invention is reached. It is an example of the error screen at the time of accessing after clear time progress in this invention. It is a DB table structural example which the server in this invention has. It is an example of a screen under maintenance in the present invention.

Explanation of symbols

100 ... user terminal, 200 ... server.

Claims (5)

A web login restriction system composed of a plurality of user terminals and a server connected to the plurality of user terminals via a network,
Login accepting means for accepting login from any of the plurality of user terminals via the network;
Login number calculation means for calculating the current number of logins;
Acceptability determining means for determining whether or not to accept login from the user terminal based on the number of logins calculated by the login number calculating means and the login upper limit value stored in advance in the storage means;
A web login restriction system comprising:   The web login restriction system according to claim 1, wherein the login upper limit value stored in the storage means is managed for each day of the week.   The web login restriction system according to claim 1, wherein the login upper limit value stored in the storage unit is managed for each period.   The web login restriction system according to claim 1, wherein the login upper limit value stored in the storage means is managed for each season.   2. The acceptance determination unit, when the number of logins calculated by the login number calculation unit is equal to or less than the login upper limit value, transmits a predetermined warning message to the terminal via the network. The web login restriction system according to any one of 4 to 4.

Images