Websites frequently are designed to grant user access to service applications. However, because sensitive data is often accessible through these types of applications, it is common practice to require an individual to authenticate their identity before granting access to sensitive data. Typically, this involves compelling the submission of a name and a password. This security requirement can create a problem if there are multiple services within an enterprise and each service requires a separate authentication. Repeated requests to provide authentication once a user's identity has been established will frustrate typical individuals and discourage them from using an application system. Therefore, it is sometimes desirable to configure applications within an enterprise so that an individual is only asked to authenticate once during a session. This configuration is commonly known as single sign-on (SSO).
FIG. 1 is a high level diagram illustrating a prior art SSO computer system 100. A session is initiated at a time t1 when an individual logs into application 104 with a client browser 102 by providing a name and password. Application 104, in this example, is a paycheck application but it is easily understood to be any application providing a service and configured to permit single sign-on. After the individual has submitted a name and password, their identity will be authenticated through an authentication mechanism according to the system design. FIG. 1 illustrates usernames and passwords being stored in LDAP server 108. Once authentication is complete, the SSO computer system 100 will generate a session cookie 110 which contains session token information.
After session cookie 110 has been provided to the browser 102, information contained within session cookie 110 is sent through browser 102 whenever requests are made to access other applications in SSO computer system 100 throughout the session. For example, during the session that was initiated at time t1 but at a later time t2, the individual may wish to access application 106. Because SSO computer system 100 is configured for single sign-on and information from session cookie 110 is sent with the access request, the individual is able to gain access to application 106 without having to provide a name and password. After the session is ended by logging out of SSO computer system 100, session information for the individual will be cleared and session cookie 110 will eventually be removed from the individual's computer.
A problem associated with SSO computer system 100 occurs when individuals are allowed to create an unlimited number of active sessions. If every person is allowed to have unlimited number of simultaneous, active sessions in a network, a session table may become filled with entries to the point where other individuals can not log into applications. The saturation of a session table may be the result of computer users failing to log out of large numbers of sessions or it could be an indication of a malicious attack on an internet service with stolen user credentials. Therefore, there is a need for a method which allows enterprise systems to limit the number of simultaneous sessions that a person may have active. However, the method should be capable of operating in an SSO-configured network and should be flexible enough so that session quotas can be tailored to the needs of an enterprise with a minimum of administrative overhead.