added a comment - - edited
In light of this post: https://groups.google.com/d/msg/couchbase-8091/tOPdBUVZouU/7_IvOPC2bq8J
Quoted for any not on the 8091 list: "Actually timed out logout does not add much security - it works only when you have browser window open. When I happen to browse to another URL in the same tab/window and return back to Couchbase even several days later, it does not ask for password and opens immediately.
It would seem the implementation as-is does not really offer more security than annoyance. This patch would remove it: http://review.couchbase.org/#/c/21276/
If we actually want to offer some sort of security we could make the login cookie a session cookie. Mind, if an adversary has physical access to a user's unlocked machine, our timing out will not save them.