Feature request: Enforce session timeout (regardless of activity and "remember me")

I would like to request a feature which makes it possible to enforce a session timeout regardless of the user activity and "remember me" setting. It should not be possible to extend the session duration on the client-side.

Reason: Security requirements from our organization require a session timeout after a specific session duration, which forces the users to make a new login.

Current behavior

Currently with GitLab 15.8.3, it is to my knowledge not possible to enforce a strict user session timeout.

Session duration only applies to inactivity

You can customize the default session duration in the admin area, but the session expires only due to inactivity. When the user is constantly accessing GitLab, this session duration will never take effect because the session duration starts over every time a new request is being made.

I tested this behavior by setting the session duration to 2 minutes and then accessing GitLab within these 2 minutes. The session won't be destroyed 2 minutes after the login. Only after 2 minutes of inactivity I was successfully logged out.

Session duration can be extended with _gitlab_session cookie

A user can manually set the Max-Age of the _gitlab_session cookie to extend the session duration indefinitely.

Assume the following setup: We set the session duration to 1080 minutes (18h) and a user sets the Max-Age of the _gitlab_session cookie on client-side to (Current date)+(1 year).

The user can now access GitLab once every 18 hours to start over the session duration. The user never gets logged out for one year, even when the user closes the browser window during this time.

"Remember me" option automatically gets you new _gitlab_session cookie

You can tick the option "Remember me" before logging in, which will get you a new _gitlab_session cookie for 2 weeks: Cookies used for sign-in.

The session duration defined in the admin area has no effect, you will be logged in every time you access the GitLab UI.

Desired behavior with new feature

A new option makes it possible to define a strict max. user session duration, where each user's session will be destroyed after the defined time since logging in.

• Session duration will not start over when constantly accessing GitLab after logging in. The session starts when logging in and will be destroyed regardless of the user activity after the defined strict max. user session duration.
• It should not be possible to influence the session duration on the client-side.
• Ticking "Remember me" before logging in has no impact on the session timeout. When a strict max. user session duration is specified, the user should be logged out.