You need to have a concept of application scope.

你需要有一个应用范围的概念。

When a user logs in, simply register him as logged in in this application scope context (For example if you were using jsf/cdi you would store this in an @ApplicationScopedor @Singletonbean)

当用户登录时，只需在此应用程序范围上下文中将他注册为已登录（例如，如果您使用的是 jsf/cdi，则将其存储在一个@ApplicationScoped或@Singletonbean 中）

This example assumes you are defining your own context.

此示例假设您正在定义自己的上下文。

//Application scoped.
//You need also more or less make it singleton
public enum MyApplication{
  CURRENT_APPLICATION;

  public void onLogin(MyUser user, HttpSession session){}
  public MyUser getCurrentUser(HttpSession session) {}
  public boolean isLoggedIn(MyUser user){} //logged in on any session
  public boolean isLoggedIn(MyUser user, HttpSession session){} //logged in on this session
  public void logoutUser(MyUser user){} //logs out the user in any session
}

public class MyServlet extends HttpServlet{
  //somewher in do get or post
  private void login(String username, String password) {
    MyUser user = findUser(username, password);
    boolean loggedInAnotherSession = MyApplication.CURRENT_APPLICATION.isLoggedInUser(user);
    //logout the user from the other session or something like that
    boolean loggedInOnThisSession = MyApplication.CURRENT_APPLICATION.isLoggedInUser(user, getSession()); //session from http request
    //logout the user if the he is loggedin in a different session other than this
    if(!loggedInAnotherSession || !loggedInOnThisSession){
      //user is either logged in a different session or not logged in at all.
      //login the user
      MyApplication.CURRENT_APPLICATION.onLogin(user, getSession());
    }
  }
}

Not in Java and maybe overly simplified, but hey... it works for me in Web2Py:

不是在 Java 中，而且可能过于简化，但是嘿......它在 Web2Py 中对我有用：

Only on successful login, I am writing the SessionID (response.session_id) in the auth_membership table in the MySQL DB. On the landing page (index page) I check whether the current response.session_id is equal to the SessionID coming from the DB. If so - all is fine. If not - (the "older" , first) user is politely logged out.

只有在成功登录后，我才会在 MySQL 数据库的 auth_membership 表中写入 SessionID (response.session_id)。在登录页面（索引页面）上，我检查当前的 response.session_id 是否等于来自数据库的 SessionID。如果是这样 - 一切都很好。如果不是 - （首先是“老”）用户将被礼貌地注销。

The above works since with each login a NEW response.session_id is created and stored in the DB. The checking is done only on the landing page (which in my app is the most important one, initiating many other functions), so not too many DB hits for the above. The above is not dependent on the user logging out. No IP address is involved (which others have mentioned, suffers from its own issues) It allows only ONE user to be logged in at a time and it logs out the "older" user.

上述工作是因为每次登录都会创建一个 NEW response.session_id 并将其存储在数据库中。检查仅在登陆页面上完成（在我的应用程序中这是最重要的一个，启动了许多其他功能），所以上面的数据库点击次数不会太多。以上不依赖于用户注销。不涉及 IP 地址（其他人已经提到过，它有自己的问题）它一次只允许一个用户登录，并注销“旧”用户。

Hope it helps NeoToren

希望它能帮助 NeoToren

You need to use session attributes and check if the attribute is empty or not. if the attribute is not empty replace it with your new user object.

您需要使用会话属性并检查该属性是否为空。如果该属性不为空，请将其替换为您的新用户对象。

User currentUser=(User)request.getSession().getAttribute("loggedUser");

if(currentUser!=null)
request.getSession().setAttribute("loggedUser",currentUser);

else
request.getSession(true).setAttribute("loggedUser",currentUser);