Please let us know how to configure session timeout after 20 minute.

AFAIK, this can't be done globally as of today.

Forced session expiration is only implemented in management pages, and the timeout for that can be set with $g_reauthentication_expiry.

What you can maybe try is set $g_allow_permanent_cookie = OFF so the session cookie will expire when browser closes) or change $g_cookie_time_length = 60 * 20 but I'm not sure that's what you want.

Also, you may want to play with expiring PHP session duration ini settings session.gc_maxlifetime but that does not give you a deterministic maximum duration.

Or you can customize code to call auth_reauthenticate() for every page.