it’s because someone in your IT department thinks that applying a short “max session length” policy is “extra secure”.
And that person is right, up to a point at least.
If you hijack my session, a short session lifetime explicitly kicks you out at the end of my original seasion, and you have to re-hijack. Assuming you don’t have both factors, it’s an easy way to limit the foothold of an attacker and make them have to try even harder. Cranking it too low will do the opposite, but we have more than a standard work shift for our session length, and it’s more than long enough to not be a massive annoyance.
And that person is right, up to a point at least.
If you hijack my session, a short session lifetime explicitly kicks you out at the end of my original seasion, and you have to re-hijack. Assuming you don’t have both factors, it’s an easy way to limit the foothold of an attacker and make them have to try even harder. Cranking it too low will do the opposite, but we have more than a standard work shift for our session length, and it’s more than long enough to not be a massive annoyance.