> > I am using Tomcat 7.0.11 and use Form Authentication (via >> j_security_check) to authenticate through the Tomcat server. >> Currently, two users with the same username can log into my application >> from two different computers and concurrently access the app. >> Is there a way to prohibit a user from authenticating if a user with the >> same username has previously authenticated and still has an active session? >> >> We use spring security in a web app that is deployed in tomcat. It has built in support for this - you can configure to either disallow subsequent sessions, or kill the first session and allow subsequent sessions. This should explain it better than I can http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html. Don't know how big a task it would be for you to move to this, but it works really well for us
If you provide a bit more information about what you are trying/need to do, > someone my come up with a better idea. > For example, what is the real problem - in your application - when two > people at different computers login with the same user-id ? > > +1 Chris