I've confirmed the behavior.
I am not sure about the expected behavior - maybe we should find a way to tell the user that the session has timed out - and then reload the application.
In the meantime, this s can actually be implemented in the model - you can use a timer that will check if the the user is still logged-in - say every 20 minutes. This will effectively work as a keep-alive mechanism - the only situation that will trigger a timeout is if the browser is disconnected from the server (e.g. if the network disconnected the is in stand-by mode).
In any case, when checking permissions explicitly, it is highly recommended to positively check for the existing permissions (so as a special case a null user id does not translate to maximum permissions).
For best results, use the Firefox browser..