timeout anonymous sessions earlier, to stop the session table getting massive....

timeout anonymous sessions earlier, to stop the session table getting massive. And fix the inevitable stupid bug which crept in

lib/session.php

@@ -25,6 +25,7 @@ public	$token='';		// session identifier
 public  $logintime='';  // Time which user last gave us credentials
 public	$lastseen='';		// Time of last page request
 private	$timeout = 2880;	// Idle timeout limit in minutes (session deleted), 2880 == 48 hours
+private $anonymous_timeout = 120; // Idle timeout limit for sessions which aren't logged in (set lower to stop the session table getting swamped)
 private $secure_timeout = 30;   // Idle timeout limit in minutes (consider session less secure, require reauth for sensitive ops)
 private $max_session_length = 11520; // maximum length of a session, 11520 == 8 days
 private	$table = "session";	// session storage table (const)
@@ -82,8 +83,9 @@ private $datahash='';		// hash of data field
 
 		// Time out any old sessions
 		$DB->Execute(
-			"delete from {$this->table} where lastseen < NOW() - '{$this->timeout} minutes'::reltime".
-			"or logintime < NOW() - '{$this->max_session_length} minutes'::reltime"
+			"delete from {$this->table} where lastseen < NOW() - '{$this->timeout} minutes'::reltime ".
+			"or logintime < NOW() - '{$this->max_session_length} minutes'::reltime ".
+			"or (username IS NULL AND lastseen < NOW() - '{$this->anonymous_timeout} minutes'::reltime)"
 		);