And if things are not working as expected I still find the answer of Jasper a great one about which value influence what:
From the documentation, com.mendix.webui.HybridAppLoginTimeOut only influences the validity of the token, not session timeout.
Determines how many minutes your token will remain valid before re-authenticating using your full credentials. This setting defaults to -1, which is equal to no timeout.
At least for a desktop app - and I believe this will also work for a hybrid app - is to use the settings SessionTimeout (value: 900000) and EnableKeepAlive (value: false): this means that all sessions expire after 15 minutes of inactivity. Do check the documentation about the cluster manager, as it may not be exactly 15 minutes.