If you're working on single-server configuration that's not on cloud, I've once implemented a static Dictionary of username, session-key value and timeout, with username as key.
On each request, try to get user record from this dictionary. If found, check the session key and see if the request are from the same client. If not, check the timeout value, and throw error denying access to server. On other cases, create the record if not exist, and update its timeout to current time if already exist and is the same session.
If you're working on multiple server/cloud, you can implement similar thing on SQL server tables. I would be less worry about performance given that ASP.NET user sessions are either on dedicated SessionServer or SQL server already.