It may be desirable to restrict each user account on a web application to one login at the same time. This is a useful security measure when each user should only be logged in once from a single location.
One technique for doing this is based on storing the user’s session ID in a database table. The process used would be something like this:
- Following a successful login, store the session ID in the database against the username. This means that the last successful login will be the valid login.
- As part of the access control process, if the user is logged in, check whether the current session ID matches the session ID in the database; if it does not, log the current user out, but do not clear the session ID from the database, or destroy the session, as per the normal logout process.
- As part of the normal logout process, clear the session ID for the username from the database, then destroy the session.
The precise implementation of the above will depend on the web framework you are using.