Suppose that a user closes his or her browser without properly logging out. The server then doesn't know that the user doesn't have the browser open anymore. If the user re-opens the browser and tries to start a new session, would the server then tell the user that he or she is still logged in? You'd need a session timeout mechanism on the server, and even then, if the user would quickly close and re-open the browser, there would be a period that he or she cannot log in.
How did you solve that problem in your application Ivan?
Jesper de Jong wrote:How did you solve that problem in your application Ivan?
It is a web application inside a servlet container which provides session handling mechanism including time-out.
We keep track of the users logged in in a database, and if the same user comes again successfully from the login,
which is on the application level, then we issue a warning and disable the previous session.
Only one login of the same user can be active at any given time. It does not forcibly have to be so, but it is in this case.
We handle login on the application level: that might be important when pondering on how to implement this feature.