That's exactly what triggered the problem. The first penalty is a mere 4 seconds (barely time for the user to read it and realize the session timed out), and always redirects back to the login page. It's the repeated failures that grow the timeout, and with many users under the same IP, they all get hit regardless of session status.

Determining a first time session expire (vs repeated session attempts) isn't built into the design yet. It's a work in progress...