every 90 seconds) as long as the corresponding tab/window is open.
If the last activity was more than X minutes ago, consider the session expired and explicitly expire the session cookie by setting an expiration time far back.
Setting a cookie expiration time far back in the past (1971-01-01 for example) will tell the client it can garbage collect the session cookie, while still making sure you do the actual expiring on the server side.
This should be done by server-side check: On each (valid) request, store the request time in/for this session.
Whenever a subsequent request is made, check the current time against the previous request time.