Care should be taken when only the client data is encrypted. Normally the server side will echo the characters entered by the client. An eavesdropper could then see what the client is typing by just looking at the data stream from the server. An implementation should at least warn a human client in this case.
A session-key become weaker and weaker the longer it is used. For long-time sessions it is therefore necessary to change the session keys. This can done by repeating the authentication procedure (to exchange new keys), and then restart the encryption.