(1) log in, log out. session's status is still 0 in the db.
this leaves multiple valid session ids behind and reduces security - even if you properly log out, somebody may reuse that session id.
(2) another problem is that guest session is not terminated after logging in as another user.
access the frontend as guest, log in. notice how logged in user count is 2.
the reason is that previous guest session has not been set to expired.
when logging in, we should set the previous guest session to expired - there is no reason for it to sit around (it is not reused - if we log out right away, a new