Hello @KevinTheJedi ! I believe I've resolved the issue. I'm sure there are methods implemented that should properly automatically log out the user on timeout, but perhaps there is a bug like you mentioned.
I see there is specific code for unsettings the staff token portion of the session and clearing the staff auth portion, but perhaps that's not quite enough. Anyways, hopefully this doesn't mess anything up. I appreciate the help.
Edit: Alright I think I have it completely resolved.
Basically I added two sections, one to class.usersession.php under the "isvalidsession" function and one to logout.php under the "try" section. Basically I copy the CSRF token from SESSION['csrf']['token'], empty the SESSION , then add the CSRF token back to $_SESSION['csrf']['token']. This resets the OSTSESSID on page reload, but maintains the valid CSRF token.