* Update last_activity timestamp of the session token * Check user backend credentials once in 5 minutes
add 'last_activity' column to session tokens and delete old ones via a background job
* Add InvalidTokenException * add DefaultTokenMapper and use it to check if a auth token exists * create new token for the browser session if none exists hash stored token; save user agent * encrypt login password when creating the token