Today I discovered that you can prevent concurrent logins by using cflogin. This was added in ACF11 but completely passed me by and is a nice feature so thought it was worth a quick blog post in case others like myself weren’t aware of it. You may have noticed that the CFIDE doesn’t allow concurrent logins using the same account on two devices at the same time.

You may want to prevent concurrent logins (the same user account being used to login to the system at the same time) for additional security in your application. This can be done quite simply with cflogin by using the allowconcurrent attribute. Here’s a quick example:

cflogin(allowconcurrent="false") {
  cfloginuser(name=username, password=password, roles=userroles);
}

What this does is to login the given user and also invalidate any other active logins on other computers/devices for the given user.

Alternatively you may want to logout your user account from other computers, but preserve the login in your current browser. This can be done in CFML using cflogout and the session attribute like so:

cflogout(session="others");

The session attribute also accepts the values all and current. A value of `all` will logout the user everywhere, A value of `current` will logout the user on their current device (or browser) but not on other devices (or browser on the same device).

Documentation:

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-j-l/cflogin.html

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-j-l/cflogout.html

Further reading:

https://helpx.adobe.com/coldfusion/configuring-administering/security-enhancements-coldfusion-11.html#ChangesinSecureProfile

https://www.carehart.org/blog/client/index.cfm/2012/6/13/cf10_admin_allows_one_logon_at_a_time