It seems simpler and less error prone to invalidate the cookies so the next time they login cookie is checked, its invalid. All this requires is a token used to encode the cookie contents along with the time.
This is already EXACTLY how the code works:
if {$auth_token eq [sec_get_user_auth_token $untrusted_user_id]} {
it compares the auth token provided with the cookie with the users current valid auth token. Invalidating the auth token will invalidate the cookies.