Stores the last request time from the logged user in your database, maybe in a field of the user table and in a cookie also (client side). So, every time the user make a request, update this field on the user table to the current time and the cookie also.
If anybody try to connect with a user that have
flag = 1, verify the last request time. If it was five (or ten, or twenty, or whatever) minutes ago or more, allow log in. If it was less than this time, just not allow.
If allowed, then we have two person with a session in the system, so the two are logged, it is a problem.
To solve this, when anyone of them try to view the page, if the last request time stored in cookie (client side) is different from the stored in database, so destroy session. If is equal, the navigation is allowed and the last request time is update again (in the cookie and database).
The idea is that five (or ten, or twenty, or whatever) minutes of inactivity means that the user leaves.
You can also change
php.ini to a lower time. For example, to five minutes, try:
php.ini, restart Apache.
See Default session time out in Apache and CentOS