finally, the reason that it's ok that session_id expires after N seconds (rather than on browser close) is that sec_read_security_info requires both session_id and user_login cookies to be set. the later is only set if user says "save this info on my computer."
