Speaking about communicating to the user what is happening:
One on-line bank I use logs me out if I don't do anything for a while, and shows a message to that effect in the browser window. I do not know how they actually do that, but one way could be to use some session time stamp, preferrably on the server side, and then combine that with a content-refresh meta tag or http header with a time set to the time out of the session.
So if a user keeps a web page open for t seconds, the page will reload and a message will appear that he's been logged out (if the session info indicates that so should be done).
/jeorgen