I have a challenge to prevent users from concurrently logging into a web application (websphere 5.1.1) using the same user account. The web application will be deployed across several clustered servers.
My preferred approach was to maintain a collection of user ids and session objects. Initially if a user logs in successfully their user id is stored with their session in this collection. If another user (using same user id) logs in then the new session will be stored against the user id and the old one invalidated - thus kicking the first user out.
I can see how I could implement this using a single server but i can't see how it would be acheivable using the target clustered environment
I've investigated using a database for this and set a flag when the first person using the id logs in. However with the db approach the flag will only be tested and set during authentication - we would not want to test this db flag every time the user interacts with the system within the session. Therefore when the second user logs in I can't see a way to implement this so that the first user (who is already authenticated and using the application)is kicked out (effectively invalidating the session).
Can anyone provide any further assistance on this and suggest an appropriate solution? I'm wondering how video streaming websites are Preventing multiple user logins using same user id? I am sure they must be having clustered server environment.
Any help would be much appreciated.
Thanks in advance.