Problem statement
This article describes how to prevent multiple active sessions for the same user.
Solution
This can be implemented with the sessions and refresh tokens management APIs.
- Check the active sessions and refresh tokens for a user using the management API.
- If the user has more than one session or refresh tokens issued, invalidate the sessions and refresh tokens for the user using the delete refresh tokens and the delete sessions Management APIs.
- The application the user logged in must also clear the internal session stored for this user.