Put the last_access_time in the session and compare at the very beginning of the request if a timeout happened. If so revalidate the session and on success set a new last_access_time. If no timeout happened, set a new last_access_time.