[eluser]kurucu[/eluser]
I don't think that would work - all that does is ensure that the session is unique to a particular PC. What data is stored in it (and thus, who is logged in) is reliant on your code.
I would have thought that, before login, you'd have to get all current sessions from the DB, deserialise them and check each one for the same user id. Then, decide whether the new logs out the old (delete the session row) or the new can't login.
The problem with the latter is that the user may not be able to log in if he closed the browser window without logging out - it would look like a second log in attempt, but actually would still only be one. A suggestion would be to a) allow them to log out previous log-ins or b) do this automatically. Final option c) provide a management destroy all sessions for user x facility; but that's horrible.
