If MAX_DURATION is used and the duration is expired the middleware issues a redirect to 'impersonate-stop'. The browser will then request that url and the middleware will once again issue a redirect to 'impersonate-stop' even though the request url is already that url. This results in an endless redirect-loop.
Thanks for this report! I'll look into it asap.