How Can I Restrict Applications Users To Be Signed In Only Once At Any Time

How Can I Restrict Applications Users To Be Signed In Only Once At Any Time [ID 375403.1]
  Modified 27-NOV-2008     Type HOWTO     Status PUBLISHED
In this Document
  Goal
  Solution
     Business Event: oracle.apps.icx.security.session.created
  References

Applies to:

Oracle Applications Technology Stack - Version: 11.5.8
Information in this document applies to any platform.
Goal

How to prevent Applications user from login twice ?

Solution

You can enable the Business Event "oracle.apps.icx.security.session.created "

Business Event: oracle.apps.icx.security.session.created

Any given user can by default open multiple sessions with Oracle Applications.

For example, given 2 different computers, the user SYSADMIN can connect from both with no
problem whatsoever.

Some customers started seeing this as a security threat. Most customers requirements were that if
user JOE, logged in from machine XYZ, that should be the only session that this user has.

Now, HTTP is a stateless protocol, thus the HTTP server has no way to know that the same user has
been logged from a different machine. Remember that Session Management in Oracle Applications is
performed at a higher layer (AOL/J and ICX), so the HTTP server does not prevent a second session
for a given user from happening.

The solution is provided with the Business Event System (part of the Workflow Suite)

ICX created a new event named oracle.apps.icx.security.session.created, which, if enabled and also
subscribed, will be fired (think of a business event as a DB Trigger) when a new session is created.

How does it work?

User XYZ creates a session. The FND APIs assign a session_id to this new session. The event is
raised via WF_EVENT.RAISE and it executes a rule function that takes the session_id and the
fnd_user.user_id as parameters. This function will execute the following SQL script:

UPDATE ICX_SESSIONS
SET DISABLED_FLAG='Y'
WHERE USER_ID =
AND SESSION_ID !=
And that’s it. If XYZ logs in, all the previous existing sessions for this user will be
automatically invalidated.

Some customers are not happy with this functionality. They would expect that if XYZ has a
previously established session, when he or she wants to log in from another computer, the login
screen should send a message type “sorry, you already have an open session”. However, given
the nature of HTTP, this is not possible due to the following reasons:

Browsers can crash, leaving the existing session open and the user without any chance to log in
Users close the browser window instead of logging off as intended
Computers can crash
An enhancement to this behavior can be considered in the future, however it is unlikely that could
be approved.