Session timeouts should be initiated after a certain period of inactivity,
which makes perfect sense for security reasons. You shouldn't restrict the
user to a session length, or you'll drive the users crazy.
Is there a technical reason why the developers aren't using inactivity as
the basis of timeout?
If you are stuck with having to limit session times, you are probably going
to have to do your own studies based on use of your particular application.
Session times are going to vary depending on the application and what the
user is trying to accomplish.