diff --git a/ayanova/devdocs/todo.txt b/ayanova/devdocs/todo.txt
index 6cbe1aaa..96d31e42 100644
--- a/ayanova/devdocs/todo.txt
+++ b/ayanova/devdocs/todo.txt
@@ -82,6 +82,19 @@ todo: integration tests bombing due to side effect of dltoken creation changing
 	which if same account login again breaks
 	FIX: fix below and implment new dl token plan will fix this
 
+todo: dl token and multiple logins
+	- what if user fetches dl token *after* login from route and server returns existing valid dl token from first jwt key login?
+		- but same issue really, because eventually the token expires and so what happens then, they've just logged in, fresh jwt but dltoken has 1 minute left on it
+	- possible steps:
+		user login
+		fetch session data after login
+			- route sees no dltoken or expired, generates new one and returns it
+			
+		User login again
+			fetch session data after login
+				- route sees valid dltoken still and just returns it
+
+
 todo: JWT tokens, revoking expiring etc, look at this: https://github.com/ptboyer/restful-api-design-tips#authentication
 todo: PLANNING session tracking to prevent logging in from multiple devices with same account
 	- right now if I login as same user on another browser the download token becomes invalid on the first computer
@@ -92,13 +105,11 @@ todo: PLANNING session tracking to prevent logging in from multiple devices with
 	- JWT TOKEN for image download??
 	- JWT TOKEN too large?  sb as tiny as possible, currently too much info in it?
 	ACTION:
-		- First determine if this is a bad thing or should be supported to some degree.
-		- like, maybe user is in more than one tab at the same time?
-		- or, maybe user is signed in at office and on road and needs both up??
-		- Is there *any* reason to support this considering users can just make as many accounts as they need to ensure no overlap.
-		- what could go wrong other than dl tokens?
-		- See if jwt gets sent back to server with the dl token, if not, consider adding it somehow so can ensure it's still valid at server
-		- if not valid then sends a 401 not authorized
+		- I've decided to *NOT* allow simultaneous same login sessions
+		- If user logs in then prior jwt is invalidated somehow (in db tracking)
+		- So user's won't share passwords, gives more control and security and supports future 2fa scenario
+		- This will absolutely FUCK UP the integration tests so I guess I need a workaround for that
+			- Actually, are they really logging in fresh again?  I think it logs in once and then shares the token...must check
 
 todo: User dl token and other data in JWT not required should be fetched seperately
 		Currently in token WAY too much stuff:
diff --git a/ayanova/src/api/authutil.js b/ayanova/src/api/authutil.js
index 9b892403..f7f6ac41 100644
--- a/ayanova/src/api/authutil.js
+++ b/ayanova/src/api/authutil.js
@@ -46,10 +46,10 @@ export function processLogin(response) {
       apiToken: response.data.token,
       authenticated: true,
       userId: Number(token.id),
-      userName: token.name,
-      roles: token["ayanova/roles"],
-      userType: token["usertype"],
-      dlt: token["dlt"]
+      userName: response.data.name,
+      roles: response.data.roles,
+      userType: response.data.usertype,
+      dlt: response.data.dlt
     });
 
     //Initialize the application