It should be possible to configure a client-side authentication to auto-logout after either an absolute duration, or after some amount of idle time, or both.

The client-side authentication cache, whatever form it takes, must be aware of usages to update the logout time, for idle timeouts.