Is It Possible To Block A Second User From Logging-in With Another Users ID

Is It Possible To Block A Second User From Logging-in With Another Users ID? [ID 337095.1]
  Modified 06-OCT-2011     Type HOWTO     Status ARCHIVED
In this Document
  Goal
  Solution
  References

.
This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process, and therefore has not been subject to an independent technical review.
Applies to:

Oracle Self-Service Web Applications - Version: 11.5.9
Information in this document applies to any platform.
Goal

The purpose of this note is to address the issue when there is a second attempt to login to Oracle Applications  (User B) using a userid and password of a user that is already connected (User A) -   blocking User B from connecting with User A's user id and password.

Note 304209.1 addresses the reverse of this issue and says that it is possible to disconnect User A when User B connects with User A's userid by installing patch.  If a specific user logs in to the application and a previous, valid session is still active, the previous session(s) are immediately invalidated by the event oracle.apps.icx.security.session.created.

This note addresses the flip side of the issue, that is - when User B tries to connect as User A who is already connected, some customers would like for the first connection (User A) to remain active and to have the second attempt to login (User B) to be block.

 Can this be done?  

Solution

    Discussed this issue with Development and was informed that this cannot be done due to the nature of HTTP - that is, we cannot block User B from connecting with user A's user id and password.
   
If we blocked the second login attempt (User B), then users might find that they cannot login to Oracle Applications at all.

    Most users, instead of 'logging out' of the application, will close the browser by clicking on the 'x' in the upper right hand corner of the browser. In Oracle Applications, when you click on the 'x' to close the browser, the session remains active until a timeout parameter is hit.  If we blocked the second login attempt (User B), then users could get blocked when trying to log back in because they have active session open from previous connections that were not closed properly.
   
    The same will also happen if there is any crash at the client machine.
   
    There is no way the web server detects that a window has been closed. This is the way HTTP works...
References

NOTE:304209.1 - About the oracle.apps.icx.security.session.created business event.