假设你的用户身份验证是某种基于会话，那么答案，所有的意外的情况下（这实际上将成为常态 - 人们似乎很少注销Web应用程序），将是那些用户插槽成为***时，会话超时。所以，你需要调查您的应用程序的使用模式。如果你得到了很多人几分钟的登录，但没有比这更多，那么30分钟的会话超时将意味着很少有人真正得到使用的应用程序。

Assuming your user authentication is somehow session based, then the answer to all your "unexpected" cases (which will actually be the norm - people rarely seem to log out of web applications) will be that those user slots become free when the session times out. So you'd need to investigate usage patterns of your application. If you get a lot of people logging on for a couple of minutes, but no more than that, then a 30 minute session time out would mean very few people actually get to use the application.

最根本的问题是，Web应用程序本质上断开，所以你不能监视用户的网页请求之间实际上做什么。通常情况下，你会卖为特定用户这样一个应用程序的许可证（所以，如果一家公司购买了20个许可证，这将给予他们20用户名和密码）。然后，你可以肯定是由相同的用户名和密码prevent多次登录，方法是拒绝第二次登录或停用previous一（这可能是更好的方法，以防有人真正从一台机器转移到另一而没有注销为您勾勒出原因）之一。

The fundamental problem is that web applications are inherently disconnected, so you can't monitor what a user is actually doing between requests for a page. Normally, you'd sell licences for such an application for specific users (so if a company buys 20 licences, that would give them 20 user names and passwords). Then you could certainly prevent multiple logons by the same user name and password, by either refusing the second logon or deactivating the previous one (which is probably the better approach in case someone has genuinely moved from one machine to another without logging off for one of the reasons you outline).