Also pointless: "your session will expire in X minutes; click Continue to stay logged in" alerts. That just turns a short session into a long session? And provides a handy session.renew() call for the attacker?