top of page
Search

Testing Single-Session restrictions in Online Games



Many online games have strict session management rules, preventing players from opening multiple game sessions at the same time. This is common in multiplayer games, online casino games, and live-service titles, where allowing multiple concurrent logins could cause security issues, gameplay inconsistencies, or exploit vulnerabilities.


Testing such games requires an understanding of how sessions are handled on both the client and server sides, as well as what happens during network interruptions, forced logouts, and reconnections... because the internet just loves to ghost you when you need it most (or you are trying to cheat - oops).

EverQuest (1999)
EverQuest (1999)

A brief history of session restrictions


Session restrictions aren’t a new concept. In early MMORPGs like Ultima Online and EverQuest, developers needed to prevent players from duplicating items or transferring wealth between two active instances of their accounts.

The same was true for online poker games, where allowing multiple connections could enable unfair play (for example, collusion between two instances of the same player).


Modern games have taken this a step further, using stricter security measures to ensure that only one active session exists per account. Mobile games like Clash Royale or Diablo Immortal instantly log the previous session out when a new login is detected. Meanwhile, competitive FPS games like Valorant and Call of Duty: Warzone prevent simultaneous sessions to stop players from exploiting matchmaking systems.

Dead by Daylight (2016)
Dead by Daylight (2016)

For casino games and real-money gambling titles, such as Slingo, session restrictions help ensure fairness, prevent fraud, and enforce responsible gaming rules.

Slingo Lucky McGold
Slingo Lucky McGold

How session management works behind the scenes


When testing games that enforce single-session rules, it’s important to understand how session management works on a technical level. Most games rely on session tokens, player IDs, and server-side state management to track active game instances.


1. Session tokens and authentication


Every time a player logs in or starts a game, the server generates a unique session token (could be called a session/game ID).

This token is stored temporarily and is used to verify active game instances.


Some key points about session tokens:

  • The token expires when the user logs out or after a period of inactivity.

  • When a second login occurs, the previous session token is invalidated, forcing the first session to disconnect.

  • Tokens are often encrypted and tied to specific device IDs or IP addresses for additional security.

    The five steps for assigning session IDs.
    The five steps for assigning session IDs.

2. Game instance tracking (server-side state management)


For online games, the game server tracks all active player sessions in real-time. This can be handled in several ways:


  • Database storage: Some games use a relational database to keep track of active sessions. If a second login attempt occurs, the database entry is updated, and the first session is disconnected.

  • Cache-based session tracking: High-speed databases like Redis or Memcached store active sessions temporarily. These allow for near-instantaneous session validation without overloading the main game database.

  • WebSockets & Persistent Connections: Many modern online games use WebSockets to maintain an open connection between the client and server. If a new WebSocket connection is made from another device, the server automatically closes the old connection.

3. Handling multiple devices and forced logouts


Different games handle multiple sessions in different ways. Here are some common implementations:


  • Forced logout with error message: Most games immediately log out the first session when a second login occurs, displaying an error message such as "Your account has been logged in from another device/your session expired."

  • Graceful disconnect with reconnect option: Some titles allow the first session to reconnect if the second login fails.

  • Dual session mode (rare but exists): I could find some information on Minecraft, which apparently allows players to be logged in from different devices simultaneously but only on different servers.


Most games don’t allow true dual-session modes because it introduces complexity in terms of game state, synchronisation, and security concerns. For example:


If you’re logged into the same account from two devices at once, the game has to make sure that changes made on one device (like inventory updates or position changes) sync correctly across both devices - what a nightmare.


Also, multiple active sessions on different devices could allow cheating, such as duplicating items, exploiting bugs, or manipulating game systems (especially in competitive or real-money games).


How to test session restrictions


When testing games that rely on network connection and prevent multiple sessions, I'd check:


1. Login behaviour and session handling


  • Log in on one device, then try logging in on another. Does the first session close properly?

  • Check if the game displays an appropriate error message upon a second login attempt.

  • If the game auto-logs out the first session, does it allow the player to resume from where they left off?

  • If the second login is blocked, does the game still work on the first device?


2. Handling of network drops and reconnects


  • Simulate a network drop and observe how the game handles reconnection.

  • Check if the session remains valid after a brief network loss.

  • If the player loses connection for an extended period, does the game force them to log in again?


3. Performance and stress testing



4. Testing across different devices and platforms


  • If the game is available on PC, mobile, console, toaster, fridge, and your dog’s collar does session tracking work consistently across all platforms?

  • Do session restrictions behave differently when using a VPN or changing IP addresses?

  • What happens when switching from WiFi to mobile data? And back?


Real-world examples of games with session restrictions


1. Slingo Games (Online Casino/Gambling)

  • These games do not allow multiple logins for fairness and security.

  • If a player opens a game on a second device, the first session is instantly terminated.

  • Some test cases involve checking whether forced logouts cause any game state loss.


2. Fortnite (Battle Royale)

  • Epic Games enforces single-session logins to prevent matchmaking manipulation.

  • A second login attempt kicks out the first session and prevents multiple instances of the same account.

  • When testing, it's important to check if progress is saved correctly when a forced logout occurs.

Fortnite (2017)
Fortnite (2017)

3. Genshin Impact (RPG)

  • Players cannot be logged in from two places at once.

  • If the game detects a second login, it force-disconnects the first session.

  • Reconnection tests are crucial to ensure a seamless transition back into the game.


4. Valorant (Competitive shooter)

  • Riot Games enforces strict session tracking due to its anti-cheat system.

  • If a player attempts to log in from another device, the first session is logged out immediately.

  • VPN tests are useful to check whether the session tracking system prevents unauthorised access.

Valorant (2020)
Valorant (2020)

Testing games that rely on a network connection and enforce single-session restrictions requires careful validation of login behaviours, network handling, and server responses while making sure logins don’t glitch, the network doesn’t freeze up, and the server keeps its cool.

 
 
 

Komentáře

  • Grey LinkedIn Icon

© 2025 by Valerie Zabashta

bottom of page