Assuming you use cookies for authentication, you can store the next logout timestamp in a cookie and then log the user out if that time has been passed. To make sure that the cookie contents haven't been spoofed, add the logout timestamp to your hash input, so instead of hashing user+sitekey, you hash user+logout+sitekey.

Really very simple to do, and no cron spoofing needed.