The way it works is the person attempting to login is allowed in while all other sessions are deleted. This works to delete the sessions, but the cookies of the other users still exist. There isn't really a means of invalidating those cookies. I'll have to basically rewrite the duplicate login protection and consider a different means of forcing the logouts aside from just deleting their session.
I do not have a timeframe for this implementation. My focus is CB Code Field and CB Query Field stable releases so I am not currently working on CB AntiSpam. Will come back to this issue after CB Code Field and CB Query Field stable releases are done.