Perhaps having a session open for a long period of time is not a good idea, I
don't know there isn't enough quantifiable evidence to support this in either
direction, however saying "You don't want to keep the session open too long
because you are going to run out of memory", although has some merits can be
a onernous statement. Firstly it depends on your application, if you know
your target audience and how they use your website keeping sessions open
longer can be beneficial. Take for example an employee who uses an
application all day long, if you expire the page in 20 minutes, they would
have to log in roughly 5 to 6 times per day on average, based on normal usage
patterns. Even though they use that application all day long they aren't
constantly posting back to the server all day long (checking email, surfing
the web, etc) So an alternative is use javascript to keep the page alive.
This might seem great on the surface however, in essence you still are
keeping the session open for a long period of time (all day), yet you are
increasing the load on the server (postbacks at least every 20 minutes just
to keep the session alive) So you get no net decrease in memory usage yet net
increase in server usage. In my employee example the timeout was simply
changed to 90 minutes and their log in times in an eight hour day was reduced
from 6 to 1. Simply because we monitored usage patterns and behaviour. Also
if you use sqlserver session storage no web server memory is used for
inactive sessions.
Where having a low timeout is beneficial, is when you have many visitors to
the site who use the site very infrequently and stay for 1 or 2 minutes then
leave and never return. Keeping their sessions open longer, could have a
negative effect on server resources. But you would know this and would adjust
timeout to meet the requirements on the users.