User not logged out after browser / tab closed

NC Version
OS Ubuntu 16.04.6
PHP 7.0.33-0ubuntu0.16.04.3

accounts are used at public computers, sometimes user forget to log out. to prevent data theft, session timeout and login cookie lifetime is regulated in config.php:

'remember_login_cookie_lifetime' => 0,
'session_lifetime' => 60*5,
'session_keepalive' => false,

expected behavior:
after browser is closed, reopened and navigated to cloud, NC will promt for login

actual behavior: after browser is closed, reopened and navigated to cloud, user is still logged in and cloud is fully useable without logging in again.

What am I missing?

A local cookie is used to store information about a valid session in the browser. You should make sure that this cookie is deleted once the browser is closed. Additionally it might be a good idea to browse in private mode by default on a public computer.

There seems to be an upcoming change in NC16 regarding the behavor of remember_login_cookie_lifetime

So maybe this settings is currently not doing what you expect it to do.

Sure, I encourage my users to log out after every session, especially when they are using public computers. But we all know there are human errors… I just try to harden security a bit

Yes, maybe. My session times out after 5 min, which is consistent with

'session_lifetime' => 60*5,

but remembers the session for 5 minutes after browser closing.

In a business environment when you close the browser and reopen you should have to log back in and not have to remember to clear a cookie. I want it to always ask for password always after stated time. How can this be done, this should be default or it is bad security practice