session, expiration and timeout

Timeout depends on user's parameters:

• the timeout time
• what happens on timeout.

Session should ever expire because they can be used for tracking, not just authentication. Nevertheless, on timeout, user should be logged out. How user is logged out/in is very application specific. I suggest you create a model file called models/timeout.py that contains

import time
TIMEOUT=30*60 # seconds 
PATH_ON_TIMEOUT='/%s/default/logout' % request.application
if session.lastrequest and session.lastrequest<time.time()-TIMEOUT and request.env.path_into!=PATH_ON_TIMEOUT:
    #optional if you don't care about tracking usage: session.clear()
    redirect(PATH_ON_TIMEOUT)   
session.lastrequest=time.time()

and create a controller default/logout that performs the logout. I do not think you need more.