Ok I reviewed the patch proposed by victor and it mostly works.
It does not support the "user is identified by an expired login cookie, allow access to public resources and show "Hi User" type message. (ie: amazon.com model).
To do this we could add a parameter AllowUntrustedPublicAccess or something similar that would check the user_id cookie for validity but not expiration.
This would allow a valid,expired cookie to be used with a matching IP address for identity but not authorization.
We could make the ad_user_logout conditional on checking the cookie without expiration, and checking the new parameter. This would allow site owners to decide which behavior makes sense.
For a private site, logging out on expiration (or brower close) makes the most sense. For a ecomerce site, for example, requiring login only to checkout or otherwise POST data to the server makes sense.