..timing out the users session...

Read the perldoc for CGI::Session, not just the first part of it, but the entire thing like the section on the expire() method.

...The problem I have then is ... and/or stopping anyone logging in with the same id....

CGI::Session stores things about the connecting session, hence you will know the IP address of the client that created the session and can, whenever validating that session on every subsequent request, check it again. If it is not the same then deny the request (see remote_addr() in the perldoc).