We've found some user login too much times in our system.
Ordinary, we have about 200-300 users online. Last week, this number grow up to 5000+, and about 4600+ sessions belong to 1 user. Maybe there's some bug in his/her browser.
So we modified the kernel code to make the ability to restrict the session one user can create simultaneously.
The attachment is our patch.