NiFi does not use sessions. So there are no active sessions for which you can kick a user out of. Every action performed by a user must be both authenticated and authorized.
This means that at anytime an admin can remove a user authorization(s) thus blocking all actions that users was previously authorized to perform.
Keep in mind here that user authentication and user authorization are two totally independent processes. A user can successfully be authenticated, but not authorized to anything in NiFi.
If a user's authentication is performed using a token based authentication method (like a login based provider), there is a user side token (stored by client which is typically the browser) and server side token stored in the users db inside the database_repository in the NiFi UI. These token are valid for the configured expiration timeframe configured in the authentication provider (typically 12 hours as the default). This is done so a user does not need to "login" for every action they want to perform. This does not mean that authorization is not checked for every action.
Hope this helps,