User registration expiration

Question

I cannot find the way to configure flask security too to set an expiration time to my login session. My code for app.py is below.

I've tried to set SECURITY_LOGIN_WITHIN and SECURITY_TOKEN_MAX_AGE but in both case this does not work

My session is not token based because even if I use a incognito browser session I can login again after the 2 minutes configures.

It seems I'm not configuring it correctly ..

Thanks for your help & support

from flask import Flask
from flask_security import SQLAlchemySessionUserDatastore, Security
#from flask_security import login_required
from flask_security import auth_required

from dotenv import load_dotenv
from database import db
from models.auth import User, Role
from flask_mailman import Mail
import commands

from datetime import timedelta

load_dotenv()

app = Flask(__name__)

app.config["SECRET_KEY"] = os.environ.get(
    "SECRET_KEY", "0aedgaii451cef0af8bd6432ec4b317c8999a9f8g77f5f3cb49fb9a8acds51d")
app.config["SECURITY_PASSWORD_SALT"] = os.environ.get(
    "SECURITY_PASSWORD_SALT",
    "ab3d3a0f6984c4f5hkao41509b097a7bd498e903f3c9b2eea667h16")
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
app.config["SECURITY_REGISTERABLE"] = True
app.config["SECURITY_CONFIRMABLE"] = True   # Confirmation via email

app.config["MAIL_SERVER"] = os.getenv("MAIL_SERVER")
app.config["MAIL_PORT"] = os.getenv("MAIL_PORT")
app.config["MAIL_USE_SSL"] = False
app.config["MAIL_USE_TLS"] = True
app.config["MAIL_USERNAME"] = os.getenv("MAIL_USERNAME")
app.config["MAIL_PASSWORD"] = os.getenv("MAIL_PASSWORD")
mail = Mail(app)

# Timeout session
#app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(minutes=2)
app.config['SECURITY_LOGIN_WITHIN'] = "2 minutes"
#app.config['SECURITY_TOKEN_MAX_AGE'] = 60 # Specifies the number of seconds before an authentication token expires.

uri = os.getenv("DATABASE_URL")
app.config["SQLALCHEMY_DATABASE_URI"] = uri

db.init_app(app)
commands.init_app(app)
user_datastore = SQLAlchemySessionUserDatastore(db.session, User, Role)
security = Security(app, user_datastore)

@app.route("/")
@auth_required()
def home():
    return "Hello, world!"

"""
@app.before_request
def before_request():
    session.permanent = True
    app.permanent_session_lifetime = timedelta(minutes=1)
    session.modified = True
    g.user = current_user
"""

@app.route("/protected")
@auth_required()
def protected():
    return "You're logged in!"