It's just off the top of my head (and the morning
coffee hasn't kicked in yet), but on login couldn't you just do a
test to see if a session exists... if (session != null) {... Then based on the results offer the person a chance to invalidate the existing session?
One assumption I made is that your expecting the same person to log in with the same username/password. If it's a different person I'm assuming you'd invalidate the session anyway.
The one problem you'll have to watch out for, is if the person already has a valid session, they may not have to go to the login page to access pages where auth is needed.