Hello. I want to handle following scenarios in my new web application.
If multiple users log into the application with same credentials, the application should deny access. Since I have out of process session store, I would be able to make out when this situation happens. So I can deny all requests after first successful attempt. This will however not work if the user instead of logging out of the application, closes the browser. The session will continue to reflect in the store for the period of timeout value.
If a user attempts to open a new browser windows (Ctrl+N), the application should defeat this attempt. Every new page can potentially fiddle with cookies. I want to therefore deny the users the ability to open new window.