Add config option to limit session duration regardless of requests/activity (server-side)

[dseomn]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Is your feature request related to a problem? Please describe.

Not a problem I've had, just a general security best practice I want to follow.

Describe the solution you'd like

Add a configuration parameter that prevents any session (not including app tokens) from lasting more than the given amount of time, regardless of its activity or how recently it made a request to the server.

Describe alternatives you've considered

I thought session_lifetime combined with auto_logout would do what I want, but looking at the code, that seems to be implemented client-side. (I filed a separate issue for preventing other people from thinking those parameters do what this feature request is about: nextcloud/documentation#7244.)

Additional context

N/A