Sessions in redis have TTLs.

But all the tokens do not.

I am not sure though that the TTL on the session matches the logic behind the TTL properties that the session itself has. It seems that we put a really low TTL on the redis keys but higher things in the session properties. We should make sure these are all compatible.

Also all tokens do not have TTLs at all. We should assign some or if we do not then we should have some background process that removes expired tokens from the db.

Without TTLs we cannot properly configure redis to evict keys when it reaches its memory limit.