All server sessions should timeout eventually if operating properly. If they aren't, then it is an issue with the permissions on the session folder not deleting session files properly. The session timeout can be found by viewing phpinfo and the session.gc_maxlifetime value. That value is in seconds and can be edited to be whatever length you need.
By default, sessions are stored as text files in a folder (also saved in the php.ini file session.save_path). It can happen that that folder doesn't have proper permissions and can't delete the session files like it is supposed to after the timeout expires. This can cause sessions to persist indefinitely and will eventually be a disk space issue on your server.