Managing sessions in a "secure" application

Hi,
Here is the approach I'd think about taking...

• See which users have an active session?      
  • I'd use the login process and the application.cfc onSessionEnd to keep track of this.
  • Login routine would store the session ID against the user account record.
  • onSessionEnd would remove the session ID from the user account record.
• Log out a user remotely.
  • Since you have the session ID's, you can modify the "sessionStop" function I created to accept the session ID as an argument      http://misterdai.wordpress.com/2010/06/15/cf-sessionstop-ending-a-cf-session/
  • You'll probably want to pester Adobe to put this into CF10.  Otherwise you might run into problems if they change the way things work.
• Block accounts from having multiple sessions at once.
• If someone tries to log in and they have a session ID on their record, they're already logged on.
• You could then either kick off the old ID and let the new one on, or stop the new login attempt.

BTW, I'm also the creator of CfTracker.  It does provide an insight into the sessions on your server, it's built more for monitoring than using within another application.

How you handle this will depend a bit on whether you are using CF session management or JEE session mananement.

First, you're going to want to look at CFTracker. It has much of what you want to do implemented already.

http://www.cftracker.net/page.cfm/features

If you want to be able to block users from having multiple sessions, you're going to need to create a way to link a user's sessionID to whatever information they use to authenticate. Perhaps a database table that stores their username and session token, or a structure in memory. but then, when they log in, you'll need to check their username against that datastore and find the currently active session. If you find one, use CFTracker or some other means to end that session manually.

Note, there will be nothing you can do to prevent a user from having two or more simultaneous anonymous sessions. Because you will not be able to tell one connection from the other. Unless you use IP Address, but that could really bite you if some of your users come from behind the same NAT router.

Good luck

You could start with something basic from Ray's blog post here.

http://www.coldfusionjedi.com/index.cfm/2006/12/19/Session-metrics-with-Applicationcfc

This will let you track in a db current sessions, and with a bit of work detect they are already logged in and prevent them from doing it again. (store their username, or whatever unique value you have for them, then check if it is already in db).  You might also on sessionEnd() delete the record instead of store the logout time, if you only want to track live sessions.

You can then add code to check if they should be remotely logged out.  You can do this by adding a column in the table, but that would require you to query that table on every request (for a column called logemout or whatever).  You could also have code that stores sessionID's in an application scope.  A list maybe.  Then on request check if the sessionid is in the application scope list, and if so remove their session structs and remove them from the table.  Lots of different ways to do it, but that should get you started.