There is no way using server-side code to force the client to make one last server request when a browser is closed. And, in any event, there are too many ways for such a process to fail, starting with a simple browser crash and moving on up from there. For one thing, it takes more than closing a window to shutdown a browser.
Unless something really strange is going on, your sessionid cookie should have been destroyed when the final browser window closed, however. That would mean that even though the session object still existed and still held resources, the user wouldn't be requesting that session when restarting the browser and a whole new session would have to be built. When using the
J2EE standard container-managed security system that would be sufficient to force the user to log in again.
So, presumably you're using a Do-It-Yourself login system. As I've said many times before, DIY systems are buggy, expensive, and insecure and should be avoided.
And, if by chance, you're manually meddling with the jsessionid appendage to the URL, I think that would explain why you're not discarding the old session when
you should be.