In my ProtectedPage class' pageValidate method I check for null session plus valid login cookie (set during login). If that obtains, I throw a StaleSessionException. The engine service catches that.
If null session and no login cookie, I redirect to the login page. thanks for letting me vent :)
