I need a way of allowing one login at a time per user.
This is to deliver a commercial system where concurrent logins are not alloweddue to licensing.
I realise it will only be accurate to 15 mins - and I am not using the forum module (yet!).
Hm looking aroud I can see that the "last visited" time is within the last 15 mins.
So could I use a CustomMemberLoginForm that checks that the member's last visited time is older than 15mins before trying doLogin(), else deny them with a "too many users logged in with this username message" ??
I think you had it correct with your last post. Have a custom doLogin that checks to see whether that person is already logged in and if so deny the login. It's impossible really to accurately say whether a user is logged in with SilverStripe, so the level of complexity depends on your commerical needs. A basic CSRF pattern (which may work for you) is storing the users IP, computer hostname string in the database and anything else you could get that is unique to that workstation and make sure that if a user is logging in within a 15min period that it comes from the same details.