This is a really good question. I feel like there should be a best practice for it but I don't have one. Here is a handful of suggestions.

• Use a different cookie for the JS.
• Don't send a cookie at all with the JS if the data isn't user protected.
• You need finer grained control so manage session experition expiration yourself in session values/attributes and hook after "finalize" or along that line-
• Write a Session Plugin subclass and use finalize_session. I've done this one. Don't have time, right now, to part it out to something simple for you.
• Emulate "logout" by clearing the user from the session triggered by resetting a user key expiration on all non-Ajax pages (that one is simple enough to hack out below).
• Maybe one or two I've not considered.

Emulate logout by clearing user from $c->session

If your have your view classes divided properly, this version should be easy. Just put it in your non-Ajax/JSON view class's end. I include Catalyst::Action::RenderView despite the simplistic example as I consider it a best practice and it enables app (or view at least) wide error handling.

sub render : ActionClass("RenderView") {}

sub end : Private {
    my ( $self, $c ) = @_;
    $c->session_expire_key( __user => 3600 ); # "Expiration" is now 1 
+hour.
    $c->forward("render");
}
[download]

Possible variation, untested, might need browser specific tweaks. :(

    $c->session_expire_key( __user => 3600 )
       unless $c->req->header("X-Requested-With") eq "XMLHttpRequest";
[download]

See also, Catalyst::Manual::Cookbook.