Session Expiration / Session Timeout

Web applications should be set to invalidate a user session after a period of inactivity. This session expiration or timeout protects users who did not logout from having someone else discover their logged-in session and take it over.