Thinking more about it, I might go the route of doing a backing store through the Cache. The reason being that if a user logs out, they should expect that their session ID won't work anymore. However, if the expiry timestamp is set in the future, then their session could still be used until that time. Which, while better than being usable forever, still seems bad.
Not sure if that implementation is still something you'd want a PR on, but I know I would have appreciated it, as the existing out-of-the-box session management is somewhat of a security hole.