I recently had to deal with the OpenAM authentication framework, and especially find a way to prevent expiration of HTTP sessions for unauthenticated users. For those interested in this topic, follow this link.

I also added my 2 cents with some security best practices when deploying OpenAM: let's read it