I discourage people from using the SessionTracker class to do anything other than a simple count of active sessions. Access to a specific session via the SessionTracker class updates the last access time of that session, which interfers with sessions reaching their expiration time. The method you will probably need to pursue is along the lines of what Ryan is suggesting, where you keep track of a list of logged in users in the application scope.
What if five people are all trying to use the same login at the same time? If you simply invalidate a session and show the user a timeout error message, they will try to log in again and you will have a circle of five people all kicking the other people out and none of them really knowing what is going on. The error message should be very specific regarding the situation that was detected. Maybe show "another user logged in using this account at IP address X. You have been logged out." An important point that confuses people is that a session doesn't end when you log out and wipe out the session variables. It ends when the timeout is reached or when the browser window is closed, depending on how you have things set up. If you clear session variables upon logout, the session is still running, but it is empty. -Mike Chabot On Dec 10, 2007 10:23 AM, Ryan Stille <[EMAIL PROTECTED]> wrote: > You can go through all an applications current sessions using the > SessionTracker class, but I've found this to be very slow. > > Instead I switched to keeping a list of logged in users in the > application scope. Users get pushed into here when they login, and > removed from here when they click LogOut, or when their session times > out (via OnSessionEnd). I store the users in a structure, using their > username as a key, and their session information as the value. > > Then when someone logs in, I check the application variable. If a user > exists in there, you know they are already logged in from another > session. At that point you still have the use the SessionTracker to > reach into that other session and invalidate it - but this is much > faster since you aren't looping through all the sessions, you are just > reaching into one known session. > > -Ryan > > Wally Randall wrote: > > How do people prevent the same user from logging into an application with > > the same userid from multiple machines? We have users who are sharing > > their IDs which is causing application failures with the concurrent > > sessions. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:294464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4