For Web-based applications, session timeouts are valuable for both performance and security. When users walk away from a system without logging out from the Web application, terminating the idle session frees up resources. It also helps secure the Web application by lessening the chance that an unauthorized person will take advantage of the open connection.
However, session timeouts can be a nuisance for authorized users when one occurs at an inconvenient time. By default, Outlook Web Access (OWA) 5.5 has session timeouts of 60 minutes for authenticated users and 20 minutes for anonymous users. However, these timeout values are easy to change.
Open the Registry Editor (Regedt32.exe), and
Under Parameters, two values control session timeouts: AuthenticatedSessionTimeout and (if activated) AnonymousSessionTimeout. Edit the data to reflect the desired session timeout. The data contained in these values is the timeout in minutes.
There's no right answer for how long to set your session timeout values. The trick is addressing performance and security concerns while minimizing user inconvenience.
Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.