Session timeout occurs when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of the user session to ‘invalid’ (ie. “not used anymore”) and instructs the web server to delete all data contained in the session.
OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial or healthcare information. It considers that longer idle time outs of between 15 and 30 minutes are acceptable for low-risk applications.