If the session was already open for him when you enabled 2fa he would have still had access using a session that didn't have 2fa.

It depends how the site is programmed, but usually its keep session variables until logout button is hit.

too many scumbags around.