you could keep all existing session identifiers somewhere on shared memory, in a database, or even as plain files on your file system. any request must then be checked against these data.