Accidentally came across the following potential vulnerability in joomla – the end of session in the frontend in Joomla does not match the backend – the session did not end for more than two days. Pretty dangerous if you give out a lot of different permissions to editors and authors.
Fix:
Open file modules/mod_login/tmpl/default.php
and then comment out the line at the top:
JHtml::_('behavior.keepalive');
After that the backend and frontend session times will coincide.
Good luck!