I'm trying to determine the best way to prevent multiple authenticated sessions for a single account. I'm using JBOSS's WebAuthentication class to do programmatic authentication. As well as having a custom login module on the other in. The login module verifies credentials as well as sets an in-use flag in a database.
When attempting to login a second time. I noticed that JBOSS cached the security credentials and was not performing a full login in order to check the database status.
I then figured out how to disable credential caching in JBOSS.
When I tried to do a second login on the next occurrence. I noticed that jboss actually calls logout before login in. So, the in-use flag is reset to not in use and a second user is able to log in.
Any help with this situation would be appreciate. I would like a situation where if a user tries to login from another computer he is told that the account is in use.
Additionally, and I'm still trying to verify this requirement. (If a opens a second browser.. i want him to get a message saying in use) If the browser clothes all together and opens up again... I want to let him back in.