@luizsan You should use session refresh to allow user sessions to be extended without prompting the user to authenticate again. This is exactly what the refresh mechanic is intended for.
I encountered an extremely weird bug where two distinct sessions were accessed from another, completely unrelated testing machine, which was catastrophical - imagine random strangers getting access to your account
How would this happen without these “strangers” either knowing your account credentials (email+password etc) or getting access to the session token? The session token should never be shared with another device, only stored locally. Check your game flow.
Restoring sessions do not invalidate the previous ones, so players can play against themselves if they open a second tab. Is it possible to invalidate the previous session upon authentication so that won’t happen?
New sessions do not invalidate previous ones (unless you choose to logout the older session). This is an intentional design decision. If you want to ensure the user only plays from one device at a time, in one match at a time, you should set the session.single_match and session.single_socket confit options to be true. They will ensure if a user tries to connect a 2nd device the 1st one will be disconnected.