In preparation for a talk I'm giving at DOSUG I'm going to post my thoughts as they develop.
Before a person can do anything in Miranda they must login and create a new Session. The user supplies a user name and the system responds with an encrypted, random long value, a session. The session is encrypted with the user's public key. The user must accompany all their requests with the (decrypted) session.
The SessionManager keeps track of all the sessions. It also is responsible for telling the cluster about new Sessions. A session lasts for one hour (default). The SessionManger checks for expired Sessions every 5 minutes (default). If a Session is used, its expiration time is adjusted to give it an hour from that point until it expires. When the SessionManager expires a Session, it tells the cluster about it, so the Session will expire on all nodes.