FYI, it is possible to use cookies w/ multiple, simultaneous sessions. It just has to be planned for. I implemented it at a previous job to prevent link sharing by just naming the cookie the session ID (which was <15 chars). Then the application checked the cookie(s) sent with the session ID in the URL, which was always present. So if sharing was disallowed and no/invalid cookie was present, the request was denied.