AT:

• session state is not maintained in Optimize instances (no stored expiry date)
• session validity is purely based on the JWT encrypted with a secret
• expiration of session is based on the JWT creation time
• secret used to encrypt the JWT is configurable, config value defaults to null for which the application generates a random secret on startup used to encrypt all tokens
• new login with same credentials doesn't kill existing sessions for same credentials

Note:
Currently user sessions are stored and their lifetime maintained inside SessionService. This blocks us from providing easy clustering support regardless of the load-balancer policy used, as a session created by one particular Optimize instance is only valid in that exact instance.