I believe I tried that as the very first thing, but ran into issues. It's been awhile, so I can't remember. It's possible I missed something simple though.
If memory serves. The big problem was always the session timeout issue, and in my testing it didn't work. But, I was a bit under the gun at the time. Have you tried setting session timeout in a dev instance really low and playing around with it? What happened in the scenarios where the first logged in user was timed out, but then a second logs in, and then the first comes back again, but is this time authenticated with a token auth, rather than username and password? Or if both of them timeout and come back? I was never able to get that to work with the simple filter extension you've done. (again, could have made a mistake...)