I understand that timing out sessions introduces a usability issue but I think it should be up to the administrators to set the timeout. If I had the option I would probably set it to 12 hours. Similarly with simultaneous sessions being allowed, this probably saves some people a lot of frustration, but if we want to tighten security by disallowing it, it would be useful to have that option in the administration console.