I'm using Identity Server 4 version 3.1.2. I logged in with a user information in Chrome and with another user information in Firefox in the same computer. If I copy the first user token saved in Chrome Cookies and paste it to the Firefox Cookies (replace with second user token) and refresh Firefox (pressing F5), Firefox logged in user will be changed to Chrome user and it is a security issue. What can I do to prevent this problem?
There is nothing you can do to mitigate this issue for sure. You may check if the user agent header is what you expect it to be, but then someone will fake the user agent header with a plugin and you are back to square one. All the other headers can be bypassed in a similar fashion.
(Although if you decide to trust the user agent header then this is the solution for you).
Checking for IPs, sockets, TLS sessions has proven to generate to much problems to be considered a solution at all.