diff --git a/app.js b/app.js
index 127576c2a..2344bd3ed 100755
--- a/app.js
+++ b/app.js
@@ -106,7 +106,7 @@ db.on('connected', function () {
     console.log(colors.green('Connected to MongoDB v' + aInfo.version));
   });
 
-  ttlSanityTimer = setInterval(ttlSanity, 15 * 60 * 1000); // NOTE: Check every n minutes
+  ttlSanityTimer = setInterval(ttlSanity, settings.ttl.timerSanityExpiry * 60 * 1000); // NOTE: Check every n min
 });
 
 db.on('disconnected', function () {
@@ -122,7 +122,7 @@ db.on('reconnected', function () {
   console.error(colors.yellow('MongoDB connection is reconnected'));
 
   if (!ttlSanityTimer) {
-    ttlSanityTimer = setInterval(ttlSanity, 15 * 60 * 1000); // NOTE: Check every n minutes
+    ttlSanityTimer = setInterval(ttlSanity, settings.ttl.timerSanityExpiry * 60 * 1000); // NOTE: Check every n min
   }
 });
 
@@ -163,7 +163,7 @@ process.on('SIGINT', function () {
 var sessionStore = new MongoStore({
   mongooseConnection: db,
   autoRemove: 'native',
-  ttl: 10 * 60 // seconds to minutes ; 14 * 24 * 60 * 60 = 14 days. Default
+  ttl: settings.ttl.timerSanity * 60 // sec to min; 14 * 24 * 60 * 60 = 14 days. Default
 });
 
 // See https://hacks.mozilla.org/2013/01/building-a-node-js-server-that-wont-melt-a-node-js-holiday-season-part-5/
@@ -524,11 +524,17 @@ function ttlSanity() {
     options.sessionList = _.map(options.sessionList, function (aSession) {
       var expiry = moment(aSession.cookie.expires);
 
-      if (expiry.add(15, 'm').isBefore()) {
+      if (expiry.add(settings.ttl.timerSanityExpiry, 'm').isBefore() ||
+        expiry.diff(moment(), 'm')
+          > settings.ttl.timerSanityExpiry && aSession.user && !aSession.user.roleName
+      ) {
         if (aSession.passport && aSession.passport.oujsOptions) {
-          console.warn('Forcibly destroyed a session id of', aSession.passport.oujsOptions.sid);
+          if (isDbg) {
+            console.warn('Forcibly destroyed a session id of', aSession.passport.oujsOptions.sid);
+          }
           sessionStore.destroy(aSession.passport.oujsOptions.sid);
         } else {
+          // NOTE: This should not happen
           console.error('Session found to be expired but no sid');
         }
       }
diff --git a/controllers/auth.js b/controllers/auth.js
index 5a4149f5b..308470ccc 100644
--- a/controllers/auth.js
+++ b/controllers/auth.js
@@ -154,8 +154,8 @@ exports.auth = function (aReq, aRes, aNext) {
 
       if (aErr) {
         console.error('Authfail with no User found of', username, aErr);
-//         aRes.redirect('/login?usernamefail');
-//         return;
+        aRes.redirect('/login?usernamefail');
+        return;
       }
 
       if (aUser) {
diff --git a/libs/modifySessions.js b/libs/modifySessions.js
index a810aecef..6d556ef39 100644
--- a/libs/modifySessions.js
+++ b/libs/modifySessions.js
@@ -8,6 +8,8 @@ var isDbg = require('../libs/debug').isDbg;
 //--- Library inclusions
 var moment = require('moment');
 
+var settings = require('../models/settings.json');
+
 //
 // This library allows for the modifications of user sessions
 var async = require('async');
@@ -68,7 +70,7 @@ exports.add = function (aReq, aUser, aCallback) {
 // Expand a single session
 exports.expand = function (aReq, aUser, aCallback) {
   var expiry = moment(aReq.session.cookie.expires);
-  var min = 5; // NOTE: Keep this initial timeout in sync with app.js
+  var min = settings.ttl.minimum;
 
   if (!aUser) {
     aCallback('No User');
@@ -87,7 +89,7 @@ exports.expand = function (aReq, aUser, aCallback) {
   }
 
   // NOTE: Expanded timeout minus initial timeout.
-  expiry = expiry.add(6, 'h').subtract(min, 'm');
+  expiry = expiry.add(settings.ttl.nominal, 'h').subtract(min, 'm');
 
   aReq.session.cookie.expires = expiry.toDate();
   aReq.session.cookie.sameSite = 'strict';
@@ -116,7 +118,7 @@ exports.extend = function (aReq, aUser, aCallback) {
     return;
   }
 
-  expiry = expiry.add(6 * 2, 'h'); // NOTE: Keep this addition to expanded timeout in sync with app.js
+  expiry = expiry.add(settings.ttl.maximum, 'h');
   aReq.session.passport.oujsOptions.extended = true;
 
   aReq.session.cookie.expires = expiry.toDate();
diff --git a/models/settings.json b/models/settings.json
index 61428e446..a2e372333 100644
--- a/models/settings.json
+++ b/models/settings.json
@@ -1,5 +1,12 @@
 {
-  "secret" : "someSecretStringForSession",
-  "connect" : "mongodb://dev:oujs@ds041651.mongolab.com:41651/openuserjs_dev",
-  "maximum_upload_script_size": 1048576
+ "secret" : "someSecretStringForSession",
+ "connect" : "mongodb://dev:oujs@ds041651.mongolab.com:41651/openuserjs_dev",
+ "maximum_upload_script_size": 1048576,
+ "ttl": {
+  "minimum": 5,
+  "nominal": 6,
+  "timerSanity": 7,
+  "timerSanityExpiry": 11,
+  "maximum": 18
+ }
 }