Currently, the last access end time is only applied when the session is new - this was meant as an optimization to avoid setting the last access start time. However, if the initial request is sufficiently long, this could lead to an abandoned session expiring prematurely. Unlikely, but possible.