From the PR @ https://github.com/igniterealtime/Openfire/pull/1331
How to reproduce on HEAD:
(1) Create a second administrator account "dan"
(2) Using web browser 1 log in as "dan" and open up the sessions list in the admin console
(3) User web browser 2 log in as other admin, and revoke the admin permission for "dan"
(4) Dan can still refresh and use the admin console
I've tested the regular paths with admin console users - but in all honesty I haven't tested the "auth token" path (although the code seems OK to my eyes).