Just thinking out loud, if you use memcached maybe simply storing a variable with the username and checking whether it is set before allowing a call from that user.
That would work.

David