EPiServer is using standard ASP.NET functionality so you can read more about authentication, authorization and membership providers it in any ASP.NET book or forum.

EPiServer is using the standard Login Web Control included in the ASP.NET Framework (with a few rendering adaptations).

The remeber me check box controls the second parameter toFormsAuthentication.SetAuthCookie(string userName, bool createPersistentCookie) and that will change control if the cookie is set with an expiration time or not. If you do not send expiration time for a cookie it is called a session cookie that is cleared when you close shutdown your browser.

The only way to make all existing authentication cookies you have issued with long lifetime invalid is to change name of the authentication cookie or change you machinekey used for encrypting the ticket.

To log out a single user, use FormsAuthentication.SignOut() method to clear the cookie.

Do not confuse session cookies with the ASP.NET Session - both are using cookies but that is all they have in common.

I recommend that you set a machinekey in your web.config if you want a long lifetime of your authentication cookies. Personally I prefere a timeout that is a couple of weeks/months and using sliding expiration to extend the lifetime when people visit the site.