When a Sitecore user logged in, a cookie (.ASPXAUTH) is set. As long as cookie exists, the user remains logged in. And Authentication.ClientSessionTimeout setting in the Sitecore.config file specifies the timeout value of this cookie. The default setting is 60 minutes, can change this value if wanted user sessions to time out faster.