Description of auto_logout could be more clear.

[dseomn]

auto_logout is described as:

Enable or disable the automatic logout after session_lifetime, even if session keepalive is enabled. This will make sure that an inactive browser will be logged out even if requests to the server might extend the session lifetime.

I initially read that as saying the server would invalidate/delete the session after session_lifetime, even if there are requests/activity that would otherwise extend the session lifetime. It looks like it just affects what the client does though, not the server. Especially given that there doesn't seem to be another way for the server to limit the duration of a session in the face of a compromised client, it would be nice if the documentation made it clear that auto_logout does not provide that security.

[joshtrichards]

I agree this does appear to be client-side only:

nextcloud/server#11828 (comment)
nextcloud/server/pull/20298

Would you mind proposing an edit via PR?

P.S. Since the docs for the config.php entries are auto-generated from the config.php.sample in the server repo, you have to do it a bit differently: the file to submit against isn't in the documentation repository but in server here:

https://github.com/nextcloud/server/blob/master/config/config.sample.php

[dseomn]

Would you mind proposing an edit via PR?

Sorry, my employer doesn't allow working on AGPL repos normally. There is an approval process I could use to do it, but it's not worth the effort for me for this.