Expire deactivated users sessions
The following discussion from !130 (merged) should be addressed:
This should ideally expire the user's sessions (this is fine to break into another issue because I don't think we know a good way to do it currently).
Probably by checking
user.active on each request