Handling multiple sessions for same user credentials and avoiding new browser window opening in my web application

I want to handle following scenarios in my new web application.

1. If multiple users log into the application 开发者_C百科with same credentials, the application should deny access. Since I have out of process session store, I would be able to make out when this situation happens. So I can deny all requests after first successful attempt. This will however not work if the user instead of logging out of the application, closes the browser. The session will continue to reflect in the store for the period of timeout value.

2. If a user attempts to open a new browser windows (Ctrl+N), the application should defeat this attempt. Every new page can potentially fiddle with cookies. I want to therefore deny the users the ability to open new window.

How about?

1. Having a server timer and then track users session. Reset the timer when you get the request back to the server.

2. Not possible. Ctrl + N is for opening a new browser window and this does not mean that the user is going to visit your site.

Also check out this question which might be of some interest.

How to differ sessions in browser-tabs?