I ended up fixing this by tracking users log in/out state and activity timestamps. When a replayed session is received, we still decrypt the forms ticket and find valid "session" information. This identifies the user, we then check if logged out and if so redirect to log in page.
For cases where the user kills the browser without logging out, the activity time stamp is used in a sql job that sweeps the user table logging out inactive users.
weidson