There is no legal responsibility, but our reputation is at stake. Each "client" is a Web browser, so it doesn't matter if they have multiple machines as we handle the transitions on the server side. The clients won't be logged in multiple times on different machines for the same user context and if they do, they understand there are no guarantees and that they're not supposed to do that. In other words, each user's context can be considered a single-threaded process and each transition happens sequentially, but the state is maintained across HTTP requests.
A transition, once it is triggered, should not be cancelleable or timed out.