The fundamental problem is that the web is notionally stateless - once the server has sent the required content to the browser the connection between the client and the application on the server ceases until the next request. Now we're able to create an illusion of state by various means so that we can identify a user as logged on for the duration of a session but what that actually means is that when a request is made to the server we test the information we're provided with and then decide whether the user is (still) logged on.
What this means is that you are limited in terms of mechanisms for enforcing a log-out requirement - the user might forget and close the browser or move on to something else or the browser might die, their session might time out (because of a long phone call), the network connection might die, etc, etc but the only knowlege you will have of this is an abscence of requests from the client not a positive indication that something has or hasn't happened.
The upshot of this is that the "best" - so far as I'm aware - that you can achieve is to track the session that the log-on is associated with so that when a request is made and you are deciding whether that user is logged on you compare the session id for the current request with that for the last time the login process occurred at a session start and if they are different take appropriate action i.e. sign out the current user and force them to log in again.