I'm working on a security issue that prevents a user from logging on if they already have an existing session on the server. I found a good solution for this where I store the user's id in a HashSet inside the ServletContext when they log on, so if they log in again, I just check do a "contains(userId)" and find out if they are logged on. The problem with this is, I don't think the ServletContext is shared between clustered machines. I thought about using the database, but if the power goes out on the application server, the record will remain in the table instead of being removed at the end of the session.
I'd appreciate any ideas.