Security issue: Returning users doesnt have to log in?

I have a problem with users accessing their files and accounts without having to log in!

Context: I am the Admin of my Nextcloud installation, which is hosted by a hosting service.

A couple of my users have this habit of just closing their browser, as opposed to clicking “Log out” inside the Nextcloud interface. This means that next time they turn on their computer, and go to my Nextcloud installation, they walk right in to their own accounts without having to log in. It may have been a week since they were logged in last, and they still walk right in. This is highly undesirable in my opinion.

I assume this is because Nextcloud might be storing a cookie in the browser temporary folder. And this cookie then remains in the browser temp folder even after the browser has been closed down? And Nextcloud reads this cookie next time they enter the URL of my Nextcloud installation. Someone please correct me if I am wrong.

This means someone could just copy the cookie file off of these users browser temporary folder and put it in their own temporary browser folder, and they won’t have to log in either, I suppose? Or perhaps easily figure out how to make a fake cookie with another user’s credentials?

This is a concerning security issue to me. And unfortunately, I do not wish to depend on users “doing the right thing”. I really want them to not be able to log in this easily.

Is there some way to prevent this from happening?

thanks for suggestions

Nextcloud plans implementing automatic logout

But that will likely come after v.19…