Session timeout is the process by which the application or system logs a user out of the current session after inactivity for a period of time.
Failure to timeout a session can be a security and resource issue for the application or system.
If a session is left inactive, it may be a sign that the user has walked away from the session and no longer needs access. The issue exists in fact that another person may come along and use the same client computer or browser. This person would then assume the session and access to the application as the original user. This person may not have authorized use of the system or may not be granted the same level of privileges. Additionally, there is a loss of non-repudiation as all actions for the new user are logged or audited as the original user.
They may expect to see the settings for session timeout including the number of minutes before timeout. This could be a screenshot of the administrative interface, or a walkthrough of that part of the system. They may also require a demonstration of the feature, proving that an inactive session times out.
In some situations, policy documents and/or configuration guides may suffice as evidence. However, this is proof of intention, not implementation.