Skip to Content (Press Enter)
UserImage.jpg
Tamilselvan M
15Views
2Comments
[No concurrent login] Restrict Concurrent Login for Same User
Question
Users
Reactive
Component
Forge
Security
Development
no-concurrent-login
Reactive icon
No concurrent login (O11)
Forge asset by Kumar Chandrasekaran

I am currently using the following Forge component to prevent concurrent logins: https://www.outsystems.com/forge/component-documentation/17561/no-concurrent-login-o11/0

At present, when a user is logged in on Device 1 and attempts to log in again on Device 2, the alert popup is displayed on Device 1. However, I would like to change this behavior so that the alert is shown on Device 2 instead.

Required Behavior

  • If a user is already logged in on Device 1 and attempts to log in from Device 2, a popup should appear on Device 2 with the message: “An active session already exists. Do you want to continue login here?”

  • If the user clicks “Yes”:

    • The session on Device 1 should be logged out

    • The login on Device 2 should be allowed

  • If the user clicks “Cancel”:

    • The login on Device 2 should be blocked

    • The session on Device 1 should remain active

0
0
05 Jan
Copy Link
2025-12-22 13-50-43
Sherif El-Habibi
Champion

Hello,

I’m not sure this is possible. The code runs in the session on Device A, so the pop-up will only appear there, as Device A is the first to trigger it. Additionally, Device B cannot see the changes that occur in Device A’s session. For example, if Device C tries to log in after Device A has logged out, the message will appear on Device B. In short, the first device to trigger the action is the one that will receive the pop-up.

1
0
05 Jan
Copy Link
2026-03-20 01-28-51
Saugat Biswas

Hi @Tamilselvan M,

You’ve hit a fundamental limitation of the “No Concurrent Login (O11)” Forge component, not a configuration gap, and unfortunately your desired behavior cannot be achieved by modifying the component as‑is.

The component is designed around this rule: 

“The currently active session is the one that detects the conflict.” 

So when: 

  • Device 1 is already logged in 
  • Device 2 tries to log in 

What happens internally is: 

  • Device 2 creates or updates a shared session record (entity) 
  • Device 1 detects the competing session (via polling / SSE) 
  • Device 1 shows the popup and may log itself out 

This is by design and confirmed by the component author / community. 

Device 2 has no knowledge or control over Device 1’s live UI session, so it cannot display a popup on itself using this approach.

However, you can implement your own solution

You need a custom concurrent‑session design where the decision happens during login, not after.

Architecture:

Create an entity like:

UserSession: This entity is the single source of truth. 

  • UserId
  • SessionId
  • DeviceFingerprint
  • CreatedOn
  • IsActive

During login on Device 2: 

  • Authenticate credentials 
  • Check Active UserSession entity by UserId
  • If active session exists: 
    • Do NOT log in yet 
    • Show popup on Device 2:
      •  “An active session already exists. Do you want to continue login here?”
  • If user clicks Cancel 
    • Abort login 
    • Do nothing else 
    • Device 1 remains active
  • If user clicks Yes 
    • Invalidate existing record in UserSession 
    • Create new session for Device 2 
    • Redirect Device 2 to home

Auto-logout  Device 1

On each request / screen start in Device 1: 

  • Validate session against UserSession 
  • If session is no longer active: 
    • Force logout 
    • Show message: 
      • “You’ve been logged out due to a new login”

Benefits of this approach

  • No cross‑session UI calls
  • No unsafe server push
  • Works in web & mobile 
  • Scalable & predictable

Hope this helps,

Cheers.

Saugat

0
0
1 day ago
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.