I am not specifically familiar with this module, but logically the first place to begin would be to have a look at the session-store that it uses ... be it a file or a database or whatever it is. You ought to be able to see the list of tokens, perhaps the IP-addresses with which they are associated, and so on. And in any case, the software should be checking IPs, session timeout dates, and so forth to be certain that forged or stolen credentials are not being used. Start by looking at the authoritative session-data source that it’s referring to. Be sure, for example, that the IP address that it’s seeing does not belong, say, to an internal router or somesuch.