Single session middleware

[xLink]

add a setting to allow only 1 session per user account (not including api clients for obvious reasons)

[xLink]

This can be added to the forced actions (as the user will be forceably logged out if logged in elsewhere)