HTTP is not a persistent connection - it only knows the CLIENT is still connecting to the SERVER when the CLIENT makes a new request.
The CLIENT sends a request to the SERVER for information (usually a webpage), the SERVER processes the request and replies to the CLIENT, sending whatever is the relevant response (usually a webpage).
That is the end of the communication, and they do not communicate again until another request is sent by the CLIENT. Clicking a hyperlink is the most common type of request on the web.
Thus, the only option the SERVER has for figuring out when a CLIENT has left is to assume that the CLIENT has left the system after a certain amount of time has passed with no new request received. This is generally referred to as a "time to live".
Forums (and most membership systems for HTTP) operate on SESSIONS, which store information about your user account on the server, and are stored on your local computer as a cookie (text file) with a SESSION ID that is your ticket back into your SESSION on the SERVER (your account, basically), without LOGGING IN everytime you want to access a page.
So if the "time to live" variable is set to 30 minutes, you will appear in the "logged in users" displays for 30 minutes after your last request on that website.
The only exception to this is if you specifically LOGOUT. With this request, you are specifically telling the server to close your session as you are finished using the system.
Just to add a note about passwords
Passwords are mostly encrypted using what's called a one-way hash - the SHA1 algorithm more recently, earlier the MD5 (wikipedia for more on that). These hashes will produce everytime the same hash of a given password. The one-way is a means by which they are practically impossible (really really really ridiculously tough) to un-hash. So, even if an administrator looks at the database all they see are a bunch of password hashes (ab23jfak3f39fksixiw03, something to that effect). When you submit your password to a user system, it will hash your password and compare it to the hash in the database.
That's not to say an evil administrator couldn't store your unencrypted password somewhere, if they wanted to. However, unless they're hoping you use the same password at every site so they can login elsewhere, it's pointless as they can view everything that gets posted to the site by direct server access anyhow.
Moderators and other users on the other hand, wouldn't have any way to access this information unless the administrator specifically gave them access.
So in short, use different strong passwords for every separate place on the web that's important to you (Paypal, Banking, Registrars, etcetera).
Hope that helps