It's not really acceptable to set the default property to false, I know various customers where people are logged in the entire day and want to continue working all the time, even if they leave the pc for a few minutes. The case where you log out automatically is the corner case.
There is something about this on security.stackexchange.com, see http://security.stackexchange.com/questions/43809/do-we-need-to-logout-of-webapps I quote: All-day applications: STAY LOGGED IN. For services you use all day and want quick/easy access to, e.g. Facebook, email, etc - IF this is your own private (or work) computer on a trusted network, it is a sensible trade-off to leave your browser logged in long-term.
Note this is even less strict because this is even about apps where you log back in when you go back to the URL, rather than leaving the browser window opened.
I agree that the client sending keepalives even when the server doesn't care about them is not ideal though.
And there is actually a setting you're looking for called ClusterManagerActionInterval, which defines how often expired sessions are checked. It does more than just that though, it also checks if it can unblock users after a certain time and handles some statistics, etc.
Also, you're NOT automatically redirected to the login form, the server can't/doesn't send a message to the client that it's no longer logged in. You probably get this page when you're trying to do something with the client.