Support for single active session per user (invalidate old token on new login)

[lizhecome]

Description:
Currently, Payload CMS allows the same user account to stay logged in from multiple devices at the same time. Even after a new login occurs, the old access tokens remain valid until they expire.

Expected behavior:
I would like to have an option (or built-in feature) that enforces single active session per user. This means:
• When a new device logs in successfully, the previous active token(s) for that user are automatically invalidated.
• This ensures that a user can only stay logged in from one device or browser at any given time.

Why this is important:
• Improves account security by preventing multiple concurrent logins.
• Useful for systems that require strict session control (e.g., admin panels, paid services, sensitive data access).

Current behavior:
• After logging in from a new device, the old token from a previous device is still valid until it expires.

Possible solution ideas:
• Store the latest valid session ID or token in the user collection, and check it for every authenticated request.
• Provide a hook or middleware to customize token invalidation logic.