I'm wondering how you're handling expired sessions, Do you notify users that session is expired ?. We'd like to show some kind of feedback whether the session is about to expire or that session is already expired. I found a thread about a similar issue but it was about how to expire sessions from server-side which was useful.
I've found in the latest Openacs version of sec_handler ( http://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/acs-tcl/tcl/security-procs.tcl?u=3&r=1.72 ) , that when the sessions expire, the sec_handler logs out the user using the ad_user_logout proc, which blanks the cookies and this causes the system to loose track if the user had a session.
I'm just wondering if there is a specific reason of not validating in the sec_handler the session and set the auth_level to expired, then redirect the user to the login page and check here if the session has expired and show the respective feedback message. What do you think?