I’ve noticed user sessions on the sever edition seem to be infinite - so long as they keep the browser open & the manager session cookie remains valid.
From a security point of view this isn’t a good idea. Sessions should timeout after inactivity (say 30 minutes, ideally configurable by the administrator)
As an alternative does the session state reside on the server that can be zapped by a cronjob somehow? Clearing overnight would suffice until there is a better solution.
Also application administrators should be able to see if users are currently logged on. Nothing too detailed, just basic connection info like login time / last page access / remote IP as it aids in the management of users and the application generally. (e.g. ‘can I reboot the server?’)