Authentication framework in Commerce:
The current WCS 6.0 implementation supports a single session at any given time for a user and when you try to login from a different browser/Device using the same loginId. It kills the other active session.
Essentially the context of a user in WCS is handled by a serviced called Business Context Services, essentially it folds into the Business context engine which controls the behavior of the business components over the lifetime of a session.
It uses a couple of tables CTXDATA and CTXMGMT, to manage the context. Essentially each time a user comes to the site, a new activity is created in CTXMGMT and
it associates the calling user (Users_id as CALLER_ID) with an ACTIVITY_ID . The ACTIVITY_ID remains the same in the course of the session and it also keeps all the contexts associated with the activity in CTXDATA table.
When the same user logs in from a different device or a separate browser, essentially the previous context in CTXMGMT is marked as T (Terminated). It creates a new activity with a state A (Active).
Out of the box this is the behavior and I don’t know if commerce provides any API to customize multiple activities active. I know from my past experience, whenever a user has multiple activities active due to any discrepancies, he cannot login into the site at all and gets a business context exception. I can think of a customization to manage activities outside of business context and mapping them to the same user.