This is not *quite* correct. There are two user_id values available from ad_conn: user_id and untrusted_user_id
The difference in behaviour is this:
no user user logged in user logged in
logged_in and not expired but expired
user_id 0 the id 0
untrusted_user_id 0 the id the id
It's important to know the difference because otherwise your users will have the confusion of the "logged in as..." showing that they are logged in, but your code relying solely on ad_conn user_id behaving as though they are not logged in.
Just thought it worth clarifying.