By default Drupal will keep people logged in for 23 days (2000000 seconds) by saving a cookie in their browser. This is nice, but a potential security problem if people are using the site from shared computers.
Consider editing the site's settings.php to have
ini_set('session.cookie_lifetime', 0);
instead of the default
ini_set('session.cookie_lifetime', 2000000);
With the former, the user's login will be forgotten when they close their browser window, even if they forget to log out explicitly.
