AbstractValidatingSessionManager - auto-delete invalid sessions to prevent orphans

The current behavior on bulk session validation is to validate each active Session, and if it has been stopped/expired as a result of validation, the session is persisted back to the back-end datastore via a SessionDAO. SessionDAO#delete is never called.

The default behavior of bulk validation should be to just delete all sessions who's last access timestamp is older than the session timeout value, as most end-users will not want to query or access session data after the session is invalidated.

The existing behavior is in place to allow historical reporting of user access logs based on session, but the framework itself does not make use of any such feature, and most end-users will not need such functionality. The existing behavior should remain, but only execute based on a configuration flag that is turned off by default.