I was able to do this in a custom Authentication filter, where I have a static map of userName->SessionId. Then, in the onAccessDenied method after the user logs in, I look for a prior sessionId for that username, and if I find one, I get the sessionDao and delete the session.
Since I'm doing the last login wins, I don't want to deny the request. But if you wanted to do that, you could return false from the onAccessDenied method, probably with some kind of status on your response. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Re-Control-Prevent-concurrent-user-logins-from-different-browsers-devices-tp7579195p7579367.html Sent from the Shiro User mailing list archive at Nabble.com.
