Are you using forms authentication? I have found that there's a slight problem when you rely on a session that has value populated from a login. The forms authentication cookie is maintained as long as the browser is open even if the user's session dies. So I put in a check to look at a certain session value. If that value is missing it performs a forms authentication logout to force a return to the login page.