diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 26604faea8..6f1fa0feec 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -124,6 +124,8 @@ def http_session_authenticator(session)
     user = current_account.users.for_environment(current_environment, strict: current_environment.nil?)
                                 .find_by(id: session[:user_id])
 
+    # Currently we only allow 1 session per-user, meaning if the session
+    # nonce doesn't match, then the current session is expired.
     unless user.present? && user.account_id == session[:account_id] &&
                             user.session_nonce == session[:nonce]
       session.destroy # clear cookie