Tja ich weiß nicht was ich noch dazu sagen soll:
It is impossible to maintain a secure session with Twitter, for multiple reasons. Additionally, once a session has been hijacked, it is possible for the attacker to maintain control over the account (not just the session) indefinitely, unless the user changes their password. This is because the session cookie has the same lifetime as the password.
This cookie works even after the user logs out using the http://twitter.com/logout action, and even after the user logs back in again to start a new session. The only way to invalidate this cookie is to change the user's password, which results in a new, equally long-lived password_token value.