no, nothing that substantial.
Just a session ID number or something. Then if a user arrived with a cookie’s session ID that didn’t match his current ID I would know to look around internally (like through a list of active session IDs) and refuse the session if I found one. (otherwise his cookie’s session ID would represent an older expired session and I’d ignore it and allow him to sign in)
Simple enough.
If you really need to limit the users sessions it is a difficult thing to do. I make LDAP authentication calls to verify who users are, and I use the database method to determine if users are already signed in or not. The issue with Cookies are things like Multiple browsers. You would think users would respect single access restrictions, but I know people who have one session in Chrome, one in IE, and one in Firefox to get around “cookie” type limits.
I’ve never a system implemented where people couldn’t get accidentally locked out “somehow” - which then creates a support issue.