As you are aware, sessions are generally saved as cookies which can be set with an expiration date. Lacking an expiration, the cookie is automatically destroyed when the browser is closed. Therefore, your session cookies are being set with an expiration date (some time into the future). If you look into your login code, you should see this and remove the expiration date from the code which sets the session variables.
As for mod_rewrite, yes, it can access cookies using the CO flag:
What you can do is apply this to all scripts/pages (i.e., not to js, css, jpg, etc.) and arbitrarily set all lifetime values to either 0 or to 5 minutes. This could be the solution you're looking for (assuming you know the name of the cookie/session and the domain).