get_current_user does not check session validity
get_current_user() function suggests that the returend user is currently logged in and therefor the current session is valid (it returns
None if the user is not logged in). But the function also returns a valid user object if the session timed out. The behaviour should be more consistent (behaviour on logout vs. on timeout) and/or better documented.
See also test