On occasion, you may find that you or one of your users encounters the ‘Duplicate Login’ error when attempting to login to your Activ system. This message will state that Activ cannot log you into the account, because someone is already using it.
At its core, the ‘Duplicate Login’ message is a component of a security feature known as ‘Concurrency’ (i.e. ‘Single User Login’). This has been designed to:
- ensure that only one session can be live for an account at any one time, to protect your system from the issues that could be caused by two people attempting to edit data from the same account at the same time; and
- to alert you if someone is already using the account when you attempt to login, so that a) you know that the other owner is currently logged in if it is a shared account, or b) you are alerted if someone has gained unauthorised access to your account when it is not a shared account.
However, as Activ’s user sessions do not end until the user specifically logs out of the account, or the session times out, it is relatively common for users to encounter this error message even when no one is technically using their account. This can occur when:
- the user closes their tab or browser without clicking on the Logout button; or
- the user attempts to log into Activ from a browser or device (or an incognito window) whilst they have a live session open in another browser or device.
In both of these cases, Activ will detect the existing (now idle) user session for the account and will block further login attempts accordingly. It will continue to block login attempts until such time as the existing user session has been ended by either someone clicking on the Logout button, or the session timing out for inactivity.
In most cases, the ‘easiest’ fix for this (besides ensuring that you always log out before closing Activ), is simply to wait for the session to time out before you attempt to log back in. Precisely how long this will take will depend on the timeout setting that has been configured for your organisation (if it has been modified from the default 15 minutes), and on you not attempting to log back in until you are sure this time has elapsed. Login attempts made whilst a session is still live will tend to refresh the existing session, essentially extending the length of time needed for that session to expire.
Occasionally, you may find that you have to wait an excessive amount of time for the old session to expire, usually because your organisation has a long timeout setting applied – or, much more rarely, because something within your organisation’s setup is continuing to ‘ping’ Activ, erroneously refreshing the session. If you encounter this issue, or simply need to restore your access urgently, then it is advisable to contact the Activ Technical Support Team so that we can provide you with further assistance.
If you have not modified your default settings, then you should be presented with a tooltip message displaying your last login date and time every time you log into Activ. It is strongly advised that you check the login information displayed within this after you have encountered the duplicate login message, so that you can confirm that the last login was indeed made by you. If you do not recognise the login date/time, or are unsure whether it is correct, you should change your password immediately and advise the appropriate member of your organisation.
Similarly, if you encounter the Duplicate Login error and are sure you have not accessed Activ that day, then you should immediately contact the appropriate member of your organisation to arrange for your account to be Disabled, as this will instantly block access to all parts of your system, preventing any unauthorised users from viewing or modifying any further records. Once this has been done, we recommend that the following steps are taken:
- Your company audits any areas that your account could have accessed, to determine if any malicious changes have been made;
- A password reset is issued, so that the account’s password can be changed;
- The account is left disabled until you are positive that the existing session has timed out and are happy that any unauthorised access has been fully revoked; and
- An Incident Log is raised, if required by your company policies.
