Oh, I misunderstood what you meant as the session token still being active.
I got you now. I've been using 3rd party password managers (with a timeout for a forced reauth) long enough that I forgot when you let the browser do it it's not nearly so locked down.
which, if the persons password is saved in their browser, would pass through to the website, granting a re-auth.