How Can I Restrict Applications Users To Be Signed In Only Once At Any Time

How Can I Restrict Applications Users To Be Signed In Only Once At Any Time 

Fix
  Business Event: oracle.apps.icx.security.session.created
References
Applies to:

Oracle Applications Technology Stack - Version 11.5.8 to 12.1.3 [Release 11.5 to 12.1]
Information in this document applies to any platform.
Goal

How to prevent Applications user from login twice?
Fix

You can enable the Business Event "oracle.apps.icx.security.session.created "
Business Event: oracle.apps.icx.security.session.created

Any given user can by default open multiple sessions with Oracle Applications.

For example, given 2 different computers, the user SYSADMIN can connect from both with no problem whatsoever.

Some customers started seeing this as a security threat. Most customers requirements were that if user JOE, logged in from machine XYZ, that should be the only session that this user has.

Now, HTTP is a stateless protocol, thus the HTTP server has no way to know that the same user has been logged from a different machine. Remember that Session Management in Oracle Applications is performed at a higher layer (AOL/J and ICX), so the HTTP server does not prevent a second session for a given user from happening.

The solution is provided with the Business Event System (part of the Workflow Suite)

ICX created a new event named oracle.apps.icx.security.session.created, which, if enabled and also subscribed, will be fired (think of a business event as a DB Trigger) when a new session is created.

How does it work?

User XYZ creates a session. The FND APIs assign a session_id to this new session. The event is raised via WF_EVENT.RAISE and it executes a rule function that takes the session_id and the fnd_user.user_id as parameters. This function will execute the following SQL script:
UPDATE ICX_SESSIONS
SET DISABLED_FLAG='Y'
WHERE USER_ID =
AND SESSION_ID !=
And that’s it. If XYZ logs in, all the previous existing sessions for this user will be automatically invalidated.

Some customers are not happy with this functionality. They would expect that if XYZ has a previously established session, when he or she wants to log in from another computer, the login screen should send a message type “sorry, you already have an open session”. However, given the nature of HTTP, this is not possible due to the following reasons:
Browsers can crash, leaving the existing session open and the user without any chance to log in
Users close the browser window instead of logging off as intended
Computers can crash
An enhancement to this behavior can be considered in the future, however it is unlikely that could be approved.
Workaround to allow Application Users to be restricted from starting more than one User Session
1. Take a backup of table wf_event_subscriptions
2. Run the following sql to prevent TESTUSER from starting more than one user session. Replace TESTUSER for the user you want restricted.
update wf_event_subscriptions set parameters ='excludedUsers=SYSADMIN,GUEST,ANONYMOUS, TESTUSER'
where EVENT_FILTER_GUID = '8FD5D7F235A83E41E03408002092A95D';

commit;
By default, SYSADMIN, GUEST and ANONYMOUS are not allowed to start more than one user session
3. Test TESTUSER is not able to start more than one user session from different machines.
How to disable the event oracle.apps.icx.security.session.created
1. Login to E-Business and navigate to Workflow Administrator Web Application > Business Event.Search for oracle.apps.icx.security.session.created

2. Then click on clock symbol under the Subscription column. Use the pencil beside subscription icx_sec.doNewSessionEvent to access its definition and disable it.

3. Shutdown and restart the Workflow Agent Listener Service.