[eluser]WanWizard[/eluser]
The session is expired when you don't receive a valid session cookie.
Cookies expire client-side, once the expiration time is reached, the client will delete the cookie locally, and will not send it with the request to the server. Server side, if no session cookie is received, the CI Session class will automatically create a new session, and will include this session cookie in the result send back to the client. From a client perspective, there is no difference, the client just sees an encrypted cookie.
If you want the client to re-authenticate, use a REST response (= error code / message) to alert the client to do so.
Server side you should record the logged in state in the cookie, so you can check in your code if the session is authenticated. Based on this information, you can craft the proper response.