Are the computers "imaged" or otherwise deployed onto the
enterprise using a standard/premade software configuration? Session
state relies on a unique key pair stored in a cookie at the local
machine. The server provides it to the browser upon first visit.
(And probably others, if it expires) - If the person creating the
image visits the website (to say, set it as a homepage) but then
doesn't clear cookies, any computer duplicated off that image will
have the same 'unique' pair and this session duplication will
occur. Try clearing the cookies on the affected machines, and this
could solve the problem when the server reissues the new
tokens.