Limit the number of stored sessions per user

We only expire sessions once they time out but from the user perspective it's unrealistic that anyone can manage hundreds or thousands of sessions. Let's limit the number of active sessions and throw away the older ones.

This would have also made the session cleanup issue less problematic.