This is Web Forms, C# (Not MVC)
We have our website with Forms authentication. A client of the company ran security scan on our site and said this is a security risk that needs to be fixed:
1. User opens the browser, types in username/password and logs in
2. User can now open another tab and log in again
3. User can open another browser session and log in
So, the site is allowing multiple logins and we've been asked to fix this.
I had this idea
When user logs in, we set a flag in the database. If user opens another tab or another browser session to log in again, we can check that flag and prevent a double login.
But, what if user X outs and doesn't click on the "log out" button?
Any ideas on how to go about this?