I need to enforce that some users (that have a flag at true) can only have 1 active session. I mean, the users logs in 1 browser and can't login in another browser/computer.
I tried using my own loginmodule but the second time I login (in another browser) the loginmodule isn't used, it seems something is being cached...
If you use Spring Security, there is an option for concurrent session control. You would want only 1 session. There is an explanation of integrating Spring Security with JBoss.
You just need an Application Scoped map of logged in users that you check when someone logs in. Store the session id and the user id.
Are you using a Framework? If so which one?