As to 'automatically' logging someone out or making a hijacked session id no longer match any session data, DON'T rely on the underlying session garbage collection operation to do this. The session garbage collection has a random probability of running and on a server that has few page requests, the session data could persist for a long time, allowing a hijacked session id to remain usable to impersonate a user.
Next, to positively log someone out, you need to have an actual data value, stored in the database table holding user data, that gets set to a value that indicates logged in, that gets cleared to indicate the logged out state. You should not rely just on the existence or absence of a session to permit access. By having an actual value stored on the server, it will require someone to enter correct authentication credentials in order to become logged in, which will prevent a hijacked session id from allowing someone to impersonate a user that is in the logged out state.
Lastly, to 'automatically' log someone out, you need to record the date and time of the last page request of the visitor in a database table, then check on each request if the last request is farther in the past then a value you have picked. If it is, you clear the logged in value stored in the database table, which will result in the visitor, or someone using a hijacked session id, needing to provide correct authentication credentials in order to become logged in.