In no particular order... I've never used CFLogin and to tell you the truth, I'm not sure what it does any different than simply tracking the login status yourself in the session scope. I've read the doc a few times and it's unclear to me what it does. BCrypt, definitely or something similar. Make sure you are using a one-way hash function of some sort as opposed to a two-way encryption/decryption function. I like to use com.lambdaworks.crypto.SCryptUtil, but CF11+ comes with similar native functions either within CF or within the jars that come with CF. The newer CF admin page has default session timeframes and maximum timeframes. You cannot exceed the maximum idle setting from the application. But remember, this is an idle timeout so as long as the session is being used it will not timeout. Booting someone out, should be doable but a little work needs to be done. You need to track active logins within the application scope yourself. I have not done this but it sounds like a fun project and I would guess there might even be an article or two around on this topic. Lastly the single login, the thing to worry about is that more times than not the last attempt, or the attempt you would be blocking in your example, is the most accurate attempt so it would be better to kill the previous login sessions. Often people close browsers or shutoff their computer and then return to the site. The original login is no longer accessible to the user so blocking this new request may only frustrate users. Just something to think about and this may require some of the same logic as the "booting someone out" mentioned above.
... View more