Auto-logout without JavaScript? And the implications of such a solution?

So I need to implement an auto-logout feature for WordPress. With JavaScript this seems straightforward;

• Prompt after X minutes idle (jQuery.nap), alternate <title> to gain attention
• If there is no confirmation after Y seconds, run logout

Seeing that the point of an auto-logout feature is security, would that deem it neccessary to have a no-JavaScript fallback?

And i开发者_Python百科f so, the only solution I can see is to store & compare access times on successive requests, but the caveats I can already see are;

• It's no longer 'idle' time (time the user is effectively 'away'), merely time between each page load.
• If a user has walked away, whatever is currently on the page is vulnerable indefinitely, until the next request fires the logout.

I could say, for arguments sake, a server-side solution to log out after Z hours between requests, as opposed to a much shorter time for JavaScript?

What are your thoughts on the matter, and my proposed solution?

Using Javascript for this seems precarious at best to me. If the threat is the user walking away from the computer while logged in, and then an attacker walking up and doing bad things on his account, then the attacker could very well just disable javascript upon walking up to the machine. Unless of course the timer has already hit by the time the attacker gets there. But that would mean the timer would have to be pretty short.

I don't know about you, but I HATE websites that automatically log you off in a couple of minutes. It's a huge hassle for very little security benefit, IMO. It just doesn't seem like a realistic threat to me: Someone following one of your users, who happens to be in a public space, using an important account, then walks away leaving the computer unguarded?

A more realistic threat would be that the connection itself gets hijacked from someone quitting out of the browser without actually logging off or something. Having a server-side timeout of maybe an hour would be useful there.