Index: branches/RC/core/kernel/session/session.php
===================================================================
diff -u -N -r11828 -r11865
--- branches/RC/core/kernel/session/session.php	(.../session.php)	(revision 11828)
+++ branches/RC/core/kernel/session/session.php	(.../session.php)	(revision 11865)
@@ -489,6 +489,20 @@
 		$tmp_sid = $this->GetPassedSIDValue();
 
 		$check = $this->Check();
+
+		if ($this->Application->IsAdmin()) {
+			// 1. Front-End session may not be created (SID is present, but no data in database).
+			// Check expiration LATER from kApplication::Init, because template, used in session
+			// expiration redirect should be retrieved from mod-rewrite url first.
+
+			// 2. Admin sessions are always created, so case when SID is present,
+			// but session in database isn't is 100% session expired. Check expiration
+			// HERE because Session::SetSession will create missing session in database
+			// and when Session::ValidateExpired will be called later from kApplication::Init
+			// it won't consider such session as expired !!!
+			$this->ValidateExpired();
+		}
+
 		if ($check) {
 			$this->SID = $this->GetPassedSIDValue();
 			$this->Refresh();
@@ -501,19 +515,28 @@
 		if (!is_null($this->OriginalMode)) $this->SetMode($this->OriginalMode);
 	}
 
-	function ValidateExpired() {
-		if( !(defined('IS_INSTALL') && IS_INSTALL) )
-		{
-			$expired_sids = $this->DeleteExpired();
-			if ( ( $expired_sids && in_array($this->CachedSID,$expired_sids) ) || ( $this->CachedSID && !$this->SessionSet )  ) {
-				$this->RemoveSessionCookie();
-				// true was here to force new session creation, but I used RemoveCookie a line above, to avoid redirect loop with expired sid not being removed
-				// setSession with true was used before, to set NEW session cookie
-				$this->SetSession();
-				$this->Application->HandleEvent($event, 'u:OnSessionExpire');
-				return ;
-			}
+	function ValidateExpired()
+	{
+		if (defined('IS_INSTALL') && IS_INSTALL) {
+			return ;
 		}
+
+		$expired_sids = $this->DeleteExpired();
+		$my_sid_expired = in_array($this->CachedSID, $expired_sids);
+
+		if ( ($expired_sids && $my_sid_expired) || ($this->CachedSID && !$this->SessionSet) ) {
+			$this->RemoveSessionCookie();
+			// true was here to force new session creation, but I (kostja) used
+			// RemoveCookie a line above, to avoid redirect loop with expired sid
+			// not being removed setSession with true was used before, to set NEW
+			// session cookie
+			$this->SetSession();
+
+			// case #1: I've OR other site visitor expired my session
+			// case #2: I have no session in database, but SID is present
+			$expire_event = new kEvent('u:OnSessionExpire');
+			$this->Application->HandleEvent($expire_event);
+		}
 	}
 
 	function IsHTTPSRedirect()
@@ -760,6 +783,7 @@
 	{
 		if ($this->SessionSet && !$force) return true;
 		if (!$force && !($this->Application->IsAdmin() || $this->Application->GetVar('admin')) && !$this->NeedSession()) {
+			// don't create session (in db) on Front-End, when sid is present (GPC), but data in db isn't
 			$this->GenerateSID();
 			return false;
 		}