If login timeout is empty string require a login cookie. Do not give someone a new login cookie with a valid session cookie.
if {[sec_login_timeout eq "" && [catch [ad_get_signed_cookie_with_expr ad_user_login]} { sec_login_handler }