Well they should be able to stay logged on for a couple hours… they should only get timed out if they’re not using the site (generating requests or posts). It’s not good from a security perspective to make it longer… and bad for performance… but if you really need to then apache (or whatever web server) and php have their own session timeout variables. By default apache is 15 min for keeping a connection alive (keepalivetimeout). But it would be better to post a message to the user that they are about to be logged out… and they have to click a “I’m still here” button to be kept alive.