This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
i already try using IP address but , this solution is not the BEST whrn user will try proxy server
...and of course the IP address will be the same no matter how many browsers are opened on the same node.
You need to audit the sessions that are open. There's a number of different ways of doing this: currently the app I'm working uses a DB table which contains open sessions. The table keeps a record of user ID and session ID. Every request, after container managed security has authenticated the user, checks if the authenticated user has a currently valid session (represented by an entry in the table). If they do and the sesison ID matches then the request is passed. If they do and the session ID doesn't match, then an exception is thrown and the user is logged out.