Request for an out of the box configuration setting for when sessions are fully expired:

• Session Expiration and let the client decide if they would like to redirect to Session Expired Page, or use Overlay with Session Expired Modal on same page.
• In this setting we could also provide additional sub-setting with ability to enable a session expiration warning (admin can set the number of minutes)

Incomplete Client-Side Inactivity Timeout: We have two different issues with this vulnerability,
• If a customer steps away from their system without an automatic logout after a period of inactivity, there is a risk that others may access sensitive information. (They can’t take any action, however they can see all the information on that current page)
• Customers believe they are still logged in while attempting to check out or submit orders, only to find themselves logged out unexpectedly. This can be frustrating for them.

This issue was raised as a security vulnerability by security audit team and it’s also customer experience issue (they are not aware of session expiration). This is already in your tracker but it’s mentioned as “Working as Designed.” but it’s a security issue. Please consider this as a security fix.
Incomplete Client-Side Inactivity Timeout Low When a user’s session expires, their active window is not redirected to a timeout or login page. Any information on the page remains exposed. Working as Designed. This is currently designed behavior on Storefront, any action on a website after session timeout will redirect user to SignIn page.