Session timeout represents the event occurring when a user does not perform any action on the client application during an interval (defined by a web server). The event, on the server side, changes the status of the user session to ‘invalid’ (i.e.. “not used anymore”) and instructs the web server to destroy it (deleting all data contained in it).

It is recommended to set session timeout to the minimal value possible depending on the context of the application. Usually idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications as per OWASP.