I'd like to require a user to re-login after a timeout. But I don't want to lose the session entirely; I want the session picked back up and to be redirected to the visited page using the same saved state as before (sort of like releasing from a password protected screen saver).
More ambitious, I might even like this behavior to survive a lost session cookie (presumably from closing browser) or a changed browser cookie (from another user logging in from the same computer and browser). This would surely require saving something (a session id or the session state) in the user's table.
Any ideas on what would be the best way to implement either the less ambitious or the more ambitious plan? Any thoughts on nasty security implications of the more ambitious plan? Thanks in advance.