Should there be a limit to concurrent number of sessions for a web application?

Question

Should there be a limit to concurrent number of sessions for a web application?

Answer 1

I assume you are talking about limiting same account for multiple sessions, otherwise ignore this :)

Depends, if it's high security application yes, this can avoid Session Hijacking issues (can be carried out many ways such XSS) as well as might help users to spot their account has been stolen and used by someone else.

In a normal web application which doesn't require high security, No. It's plain irritating.

Answer 2

Depends. Are you running in an environment where system resources are sufficiently scarce that you risk exhausting them by session use?

Answer 3

No.

Your application can be shut down for everyone for your entire session timeout (say 20 minutes), by a simple bot starting max sessions.

Answer 4

Do you mean on a per user basis or for the whole application?

Per user, the question depends on what the purpose of the web application is. If it's something like an online banking site, you could reasonable decide to only allow a single session per user for security. But if your app can already handle more than one session per user, it doesn't seem to make much sense to set an arbitrary limit.

On a per application basis, it doesn't really make much sense to set an arbitrary limit either unless you know it breaks down after a certain number of sessions for some reason.

Answer 5

No. Better to have your app be slow than to lock users out.