I will second this. After a bit of experimentation it is unclear what triggers a reset on the auth token timeout values.
Composing a new message, tabbing between messages all seem like it should trigger a reset, but it does not.
I tested this by setting the values very low, like 45 sec and found that I could do a LOT in the web client without triggering a reset.
We have had several cases open with Zimbra on client timeout issues (usually related to composing a message and then losing it all) but we have never had a solution.
Our auth token timeout is set to 4 hours and the session idle is set to 7 days.
If they match the idle session should in theory log the user out, but it appears what constitutes idle is not the same in the ajax client and what is sent to the server.