Just remove "enableAutoLogin" from your user config and it will just work fine.

Your code shall look like this:

'user' => [
            'identityClass' => 'app\models\User',
            'authTimeout'=>100
        ],

In your config/web.php file:

In $config array:

...

'user' => [
            'identityClass' => 'app\models\User',
            //'enableAutoLogin' => true,
            'enableSession' => true,
            'authTimeout' => 60,
        ],

...

Please note I commented the //enableAutoLogin, that prevents of authTimeout to work properly

Your config is correct. But it will not automatically refresh your page and show you login form. Technically it will log you out only at the next request after the session is expired. And you should be aware of ajax scripts working on your page and calling some other pages by time interval. Every request will renew your session timeout. There is also "absoluteAuthTimeout" parameter instead of "authTimeout" - that will log you out after the timeout despite of your activity.

$authTimeout - public property.

The number of seconds in which the user will be logged out automatically if he remains inactive. If this property is not set, the user will be logged out after the current session expires (c.f. yii\web\Session::$timeout).

Note that this will not work if $enableAutoLogin is true.

if you want log out user after X time. You should check with ajax each second. If expired redirect to log out

You can also use

session.gc_maxlifetime

setting in php.ini

By default it is 1440 secs.