Session security: multi-browser validation and single-token enforcement

We tightened session handling after a support case where an admin’s old browser tab continued holding a valid token after a password rotation.

• Added multiple browser auth validation so two simultaneous sessions for the same user are reconciled, not silently allowed.
• Implemented single auth token validation to ensure only the most recently issued token is honoured.
• Resolved the invalid session 400 issue that surfaced during quick consecutive logins.
• Fixed the “admin login” regression and reinstated correct session validation for staff accounts and forgot-password flows.