I would say that this is in some sense outside of QlikView.
Using header authentication you will inject the username of the user in every request. If you stop injecting the header the user is logged out.
So if these capabilities are build into the component that you use to inject the header i.e. a reverse proxy or a code component of IIS then you should be able to support the behaviour you are looking for.
After additional research here is what I discovered:
- The logout button: if QV is in an iFrame, what if you have a log out button in the parent html page, and when the user logs out or timeout hits on that page, have code that deletes the AccessPoint session cookie and sends you back to reauthenticate?
- Reopening closed windows: "TerminateSession" is an extension that can automatically kill the session without user interaction when the browser or browser tab is closed. This way no one else can reopen a closed browser window and be right back in the session. This leverages a supported API call: http://community.qlik.com/docs/DOC-2853