Risks of Long-life Session


Most “big” websites seem to have enormous sessions. From looking through the cookies, Stack Exchange seems to have a one-week rolling session, GitHub has 45 days, and Gmail seems to have a never-ending session.

What are the security implications for having sessions longer than an a few hours? Apparently, the recommended time for session expiry is just fifteen minutes, but obviously that’s pretty bad for user experience. Is there a nice, happy medium for session expiry that smaller webapps can use? How do major websites manage to get away with such long sessions?