One way I can think of would be to have an existing instance of a work object whose purpose is to enforce one-at-a-time. As application starts, it would open and lock this instance, and only allow the user to proceed if the lock is obtained.
Note that if your scoping needs are to allow one login per user to use the application, you could have an instance of the one-at-a-time class per user.
1. How soft lock scenario should be handled in this approach?
For eg, user A logged onto application using a lock on instance X-Y-Z.A and so that when another try to logon with same user A ID, it will not be allowed as lock on instance A is already held. But after lock expire period say 120 mins, even though the user A is active, lock on X-Y-Z.A instance will be lost and become soft lock and then further any login attempt with user A will be successful. Now application can have 2 requestor session with same user ID.
2. If the user A who logged in, closed the browser window after logon. How can the lock acquired by user A is released. Does the user have to wait till lock expire period (default 120 mins)?