The number of active sessions per user appears to exceed the number specified in Active User Sessions.
Configured session quotas with Resulting behavior if session quota exhausted option set to anything other than DENY_ACCESS.
Enabled persistent cookies.
The persistent cookie feature enables a previously destroyed session to be resumed by refreshing the browser. When used in conjunction with session quotas, it can appear that there are more sessions than the quota should allow. In fact, each time a session is resumed using refresh, a session in another browser is destroyed, thereby maintaining the quota; as this all occurs seamlessly, it can appear that there are endless sessions, but actually the number of active sessions never exceeds the limit specified.
The functionality is working correctly and sessions are limited as per the session quota.