[ForYourInformation -50] Restrict Concurrent Login Sessions

It's a common request or recommendation that a web application does not allow a user to have more than one session active at a time. There are numerous reasons for preventing concurrent connections.

One most common reason is to keep user accounts from being compromised and prevent insider threats. Having concurrent login enabled could lead to multiple security issues within the organization like misuse of the user's personal information or resources to perform unauthorized actions. This can also result in the user being wrongly held accountable for the harmful actions of another user with malicious intent.

Having said that, there could be scenarios where users may want to have concurrent login enabled. A good rule of thumb is to not allow more functionality than that which is needed. If your users are never going to connect more than one simultaneous session, disabling it would reduce the risk of attack. If, however, your users may expect to use multiple sessions, then you'll have to have this functionality.

In ServiceDesk Plus, yet another security enhancement to disable concurrent login has been released with the build 11128. Once disabled, the application does not allow a user to have more than one session active at a time. In other words, after a user logs into the application, if the user tries to log in again from a different browser or private browsing mode, the previous sessions will expire.

Similarly, when a user tries to access the application from a different computer when his login session is already active, he will not be allowed to access the application and a message will be displayed on the login screen as in the screenshot below.