When a new session is created, track the ip address that the request was received from. When an existing session is accessed check to see if the requesting IP has been previously associated with the session. If more than N distinct IPs are seen to have been using the same session in X units of time, write a debug log event recording the anomaly (e.g. "Session 'deadbeef' hit from 6 IPs in 10 minutes: 0.0.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206"). The log events should be sent to a distinct channel that only tracks these events so that they do not pollute other logs and can be managed securely as they will contain PII (IPs) and sensitive data (session id).
N and X should be configurable with some sort of sane sounding defaults like N=5 & X = 10 minutes.
Implementation could be to log on every access of the session but vary the event log level based on thresholds as well with debug for C == 1, info for 1 < C < N, and warning for C >= N.