I minor update to the settings form that emphases that the max_session_timeout settings is primary for user level timeouts in user form when that is enabled.
New featrue: Autologout alterable now has a feature to clean up old session on server side. It can be turned of with the use_cron config, enabled by default.
The cron job analyses old sessions with the same rule set regarding timeout and max_session_length. The autologout profile can also in cron context be altered via the event AutologoutEvents::AUTOLOGOUT_CRON_PROFILE_ALTER_CRON.
NOTE: In the AUTOLOGOUT_CRON_PROFILE_ALTER_CRON event the context is not the same as in an ordinary request profile alter, for example session service is not available. The current user service can be trusted though.
If the profile cannot (or should not) be alterered and/or the session for any other reason should not be deleted by the cron job a preventSessionDelete flag can be set in the AUTOLOGOUT_CRON_PROFILE_ALTER_CRON event. That way the particular session can be handled instead in the next ordinary client side induced request.