I asked support ...
it appears to me that one use can consume more than one token when using WebEA.
I’d suggest that this is a bug when SSO is being used.
For example a user opens up several views of a model in separate browser tabs.
Support provided a good explanation of what is going on:
"I’d suggest that this is a bug"
Unfortunately it is not, this behavior is a result of how browser to webserver interaction work. When a browser opens a URL the hosting webserver allocates a unique session ID to that particular browser/URL combination, this session ID is the only form of identification the PCS has about a given 'user'.
However you must remember that requests are stateless, ie from one request to the next the server doesn't know if the end user is 'logged in'. Some web application get around this limitation by including data in the URL which could uniquely identify a user to the webserver and then internally the webserver could store information about the current user, but we find such URLs messy, confusing and too easy to break if a user manually changes something. Therefore the PCS keeps a track of users by session ID, but the main limitation with this approach is that users need to log out when they are finished, otherwise if they simply close the browser, then the token used is not released.
In response to this situation the PCS will automatically release a token that hasn't been used after 30 minutes of inactivity.
"For example a user opens up several views of a model in separate browser tabs."
It is our understanding if multiple tabs, on the same browser, to the same URL are opened then the same session ID is used, which means the server has no way of identifying one tab from another and if a token has already been consumed by that session then all tabs could share the one token. However if the same URL was opened in a different browser on the same client machine then yes, this would require another token because it would be using a different session ID.