Another option would be to store some in-memory cache that mapped each user to the last session ID they logged in with. You’d still want to check every request, it would just be in-memory and not in the database. Of course, if you have multiple CF instances you then have to replicate that data to all of them which is why I just recommended storing it in the database in the first place.
ColdBox Platform Evangelist
Ortus Solutions, Corp
ColdBox Platform: http://www.coldbox.org
I agree with whats said.
thought i might share our experience with this type of thing.
One of our apps is a pretty decent sized paid subscription service.
We db it... And check on each request... But we also log conflicts.
We boot them and log each logged in users details and if they reach a threshold we lock them out a certain time.
The lockout is exponentially bigger the more they abuse the multiple logins.
We found this helped our business immensely because some companies were paying for 1 user and had 15 plus people using it at once..
Also helps identify habitual abusers fast
For concurrency issues, I think you have to check per request.
Its not a big overhead in the scheme of things.