I'm using sessions for a user login and I've realised that if a user is logged in and then logs in on a second machine, the first session stays open. It times out as normal if left untouched but if you continue browsing then it doesn't close.

So, if a user forgets to log out of a public machine then someone else can go straight on it and continue to be logged in as them, even if the user goes home and changes their password.

Is this normal or am I missing something obvious? If it is normal, what's the best way of preventing it?

The only thing I can come up with is to set a random token in a cookie, store it in the database and then on every page view check the cookie value matches the database value. So when the user logs in on the second machine it changes the cookie/database token and then the first machine gets logged out as soon as it views a new page because its cookie value is now invalid.