for your permissions problem I'd suggest the implementation of roles or groups. that way you can add users to groups or give them roles, which can be checked in a before_filter in your controllers.
sessions: if you are using activerecordstore (and thus your sessions are saved in a db-table) deleting those entries should result in a logout. there should be configuration in your environment like this: config.action_controller.session_store = :active_record_store
if you clean that table and you are still logged in, it seems you store your session (or at least your login-info) inside the client- side cookies (see cookiestore). if in doubt check your cookies for e.g. with firebug/firecookie.
for automatical timeout and removal put the following in your application controller: # session-timeout after inactivity of one hour. MAX_SESSION_PERIOD = 1800
before_filter :session_expiry
# checks and (re-)calculates expiry time for sessions def session_expiry # if there is a session[:expiry_time], check it reset_session if session[:expiry_time] and session[:expiry_time] < Time.now # reset expiry_time session[:expiry_time] = MAX_SESSION_PERIOD.seconds.from_now return true end