This is a known behavior on Chrome. Nothing to do with Apache Shiro. Here is the link:
https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion
Think Google has marked this as WONTFIX, so most likely we will have to live with this. To counter this, I set the max-age to some acceptable value so that FF and Chrome can have the same behavior. Otherwise, while FF logs me off when the window closes, Chrome may continue to keep the session for whatever length it decides.
Another way is to trigger Session validation in Shiro to harvest all expired session in Shiro and invalidate them. That way, any client trying to login with an expired session will be told so. At that point you may choose to redirect the user to the login page.