How to logout/invalidate a session in a different browser?

[davidmr]

In a Play application, when using cookie-based sessions, if the user logs in using two different browsers, is it possible that when they logout from one of the browsers, Play invalidates both sessions?

[mkurz]

This is not a Play specific problem. You would have implement a mechasim that tracks all user's session (e.g. based on browser and ip) and then when a user sends a log out request invalidate all of his/her other sessions.

Just an idea:
When a user logs in the first time you could save the current timestamp in it's session cookie.
You need to store this current timestamp also in a map or in key/value store or database, etc if they key does not exists yet.
On each request you read this timestampe session value and it has to <= with your saved value otherwise user is logged out.
So when a user logs out you delete the saved timestamp by your app (remove it from the map, etc), which invalidates all other sessions.
When a user logs in again you create a new timestamp and again save it in the session. Sessions that have an old timestamp saved will still be logged out because their session value is not <= anymore.
Be aware that when such a user logs in again to not replace the existing key/value locally ("if it exists"), otherwise the first logged in user would be logged out since his/her session value would then not be <= anymore.
This just came to my mind, I am sure there are other ideas that would work.

See
https://www.playframework.com/documentation/3.0.x/JavaSessionFlash#Storing-data-into-the-Session

[davidmr]

Thanks. I was thinking of a similar approach.