Prevent multiple log ins per user

As an outcome of OWASP security testing I have to prevent multiple sessions per user.

Our environment is Version 9.1.601.0 and we are using PingFederate SAML authentication with the IDP provider connector.

So far, I have managed to connect to the session database and create the functionality to check if the user already has a different session. This on advise of a OutSystems consultant.

Now I want on the OnSessionStart event, implement functionality to log out the user and redirect him/her to a logged out screen with a custom message.

To enable this, I have created a User Exception in the OnSessionStart. The problem is that this error isn't caught by the Error Handler I have defined in the Common Web Flow (also not in the Main Flow).
Instead a general error is raised: https://dev.pst.philips.com/customHandlers/internalerror.aspx?

Due to the SAML authentication, I can't apply the check on log in.

Is there:
- either an option to get the error to be caught within the application?
- or a different approach?

Ricardo Silva
Rank: #0

I would probably go for a different approach. Depending on specific implementation details from the OutSystems side may cause your solution to require revisiting in the future if we decide to change the way our sessions are maintained.

Instead you should aim for a fully applicational approach to this requirement. Here's what I would do:

1) Create a wrapper for the User_Login action. This is the action where our logic will reside

2) Create a table keeping score of who's logged

3) In your wrapper have the logic to check if a person is logged in (accessed in the last X minutes) and don't allow a new login to happen if they are, or register that they are logged in if they aren't

4) in your espaces have weblock in your header / footer that updates the table whenever the user accesses.

This should allow you avoid a second login from happening.

Depending on your requirements you can have slightly different approaches but roughly with the same outline.

I notice that you said "Due to the SAML authentication, I can't apply the check on log in.". Can you elaborate on this?