Logic in activityResetTimer seems wrong

In the handler for the preventAutologout event, a timer is set up to reset the activity flag to false with the comment "Set a timer that goes off and resets this activity indicator after a minute, otherwise sessions never timeout." Clearly, this was put in place to fix an issue, and having tried to debug the messy logic going on in this module I see how hard it can be, but this seems wrong to me. It looks to me like autologout will only respect user activity if that activity happens in the last minute before logout (or worse, in the dev branch, 30 seconds), which doesn't seem like the expected behavior. If I've been working on the form for 28 minutes, get distracted for a couple minutes, and get logged out because I wasn't active in minute 29 with a 30 minute autologout setting, that sucks.

All this to say, I think the activityResetTimer callback should call refresh() before resetting the activity to false, to register the activity on the server at a reasonable interval and respect user activity throughout the lifetime of the page.