To make applications that rely on user sessions secure, it is necessary to define a session timeout.
The timeout defines the validity of a user session and after the set amount of time without activity, the session will expire and the user needs to authenticate himself again.

There is always the clinch between convenience for the user to not need to login too often and strict security from the code side to keep it as short as possible.

I've seen anything throughout my carreer, from 4 hours up to 30 days.

What is the ideal session timeout for you and why?