I see that you can revoke sessions, but would there be a way to make it so that if a user tries to log in from a different device/ip, then they have to re-sign in? I am trying to limit users from being able to share a login and have multiple people use the account logins at once.
On a $5 DigitalOcean droplet, we've seen the forum handle loads up to 300-400 concurrent users just fine, and this is on a single CPU!!
Any more and you should probably get more cores, move your db to its own server, or scale horizontally