There should be a server action which will automatically logout other sessions for the same User Id. So same user will not be able to login from other system or it will allow to login but logout from other systems.
Preventing concurrent logins will reduce the possibility of replay attacks. It should be possible to configure this.