play framework enforcing single concurrent user login session

Question

Has anyone had to ensure that only a single login session exists for a given userid/password with Play Framework? (So that 10 users on different computers can't login with the same userid/password at the same time). The two possibilities I can think of are:

1) Add a timestamp variable to the User class in the database which is updated to current time on every controller access. Null the timestamp on logout, and do not allow logins for that user if timestamp is without a timeout period (maybe 30 min). Would be a pain if a user's browser or computer crashes, can't login for 30 min.

2) Like Java EE Servlets create a sessionId cookie, save it with the User record on login and only allow requests containing it (until a logout or timeout), but this would have the same drawbacks as #1.

Any ideas would be welcome.

Answer 1

Personally, I would go for option 2.

If you save the userid into your session cookie, and then store the cookie id with your user, then you will have a link between the user and the computer they are active on. You would need to also store the last activity time, so that you could clear the cookieId from the User after a certain timeout period.

The issue of the browser/computer crashing can be overcome by changing the Session cookie timeout in your application.conf

application.session.maxAge=1h

see - http://www.playframework.org/documentation/1.2.3/configuration#application.session.maxAge

Finally, you would have to deal with people logging on from a different location, so you may need a "Log Me Out from All Other Locations" option, like GMail has.