StayConnected: add a single session option
Summary
When using StayConnected and SingleSession at the same time, the session purge done by SingleSession does not invalidate StayConnected states.
- Browser 1: has 'llngconnection' cookie and a lemonldap cookie
- Browser 2: logs in, gets new llngconnection, invalidates lemonldap cookie for browser 1 (through SingleSession)
- Browser 1: can still login without credentials using llngconnection which is not invalidated
Design proposition
- Add an option in StayConnected so that only one valid llngconnection cookie can exist for a given user