The issue arises when a user logs into the application but subsequently closes the browser. In this scenario, the application retains the user's sign-in status. Ideally, when the user reopens the browser and accesses the application once more, it should logically require the user to sign in again. The expected behavior is for the application to automatically sign out once the browser is closed, prompting the user to enter their credentials on the login page when they revisit the application. However, the current situation is such that the user can access the application without being prompted for login permission. Moreover, the user has the ability to initiate multiple sessions in separate tabs without being directed back to the login screen.
you can set “Multipe sessions per user” to false in settings->runtime to disable the users to have multiple sessions