That was an excellent discussion.
We'll see how the security is implemented and see if we can insert a preliminary check that can session.invalidate() at the appropriate moment based on existing user level (I'm not sure how they presently store the user class information, but it is avalable) and time-since-last (which we may or may not have to store manually in the session).
Also, this is a major client and they will want a lot of work in this system (or a full replacement in PHP which I don't see happening).
Any "logout" code would have to be executed in the session destruction listener method.
We will certainly test this and implement a logout command if need be.