Enabling multiple logon support for the same user

Enable multiple logon support to allow for the same authenticated user to use the site from multiple browsers or locations. This feature eliminates the termination of the session and the request to reauthenticate a user, if that same user logs in from a different browser or location.

The standard behavior for WebSphere Commerce session management (by using cookies, REST tokens, or activity tokens) is to allow only one active session per user. If a user logs in from another browser or location, and they attempt to make a request with their first session, the following error is displayed:

Generic Error: Your logon ID may have been used in another location. Sign in again to continue.

This default behavior can be modified to allow multiple sessions per user. With multiple session support enabled, each user session acts independently. For example, each session can timeout or be logged out without affecting the other. All site functions are shared between user sessions. Any changes that are made to the cart through one session, for example, are display in the other session.

Important:
  • To mitigate the reduced security of enabling multiple logon support, session timeout must be enabled. To enable session timeout, see Enabling timeout.
  • WebSphere Commerce Version 8.0.4.26 or laterMultiple logon support security is enhanced in version 8.0.4.26 with session invalidation.

Procedure

To enable multiple login support:
  1. Enable multiple login on the WebSphere Commerce server.
    1. Open the WebSphere Commerce configuration file.
    2. Find the <SessionManagement> section of the XML, and insert the following line: 
      <SessionManagement>
	<url-rewriting display="false" enabled="false"/>
	<cookie acceptance="false" age="-1" display="false"
		domain="" enabled="true" path="/" persistence="wcs"/>
	<referrerCookie age="-1"/>
	<PersistentSession cookieExpiry="30"
		delayNewPersistentGuestSession="true" display="false" enable="true"/>
	<PersonalizationId display="false" enable="true"/>
	<AllowMultipleLogonForSameUser display="false" enabled="true" activityRegenerationForGuestUser="true"/>

</SessionManagement>
      Note: Setting activityRegenerationForGuestUser to true allows for the session of a guest user to continue even after the original activity record has been deleted from the database.
    3. Save and close the file.
  2. Ensure that the allowMultipleLogonForSameUser parameter is set to true in your Search server configuration. For more information, see Search properties in the component configuration file (wc-component.xml) (Search EAR).

Results

Multiple logon support is enabled. An authenticated user can now use the site from multiple browsers or locations.