We've been doing a fair bit of research lately on how better to deal with sessions on a forms-based authentication site. By default SharePoint creates a fixed 10 hour session using a permanent cookie that persists beyond the browser session. This means that even if you close all your browser windows and re-open it, you session is persisted and you are still logged in. The only way to logout is to explicitly do so.
While session persistence has some benefits, particularly around single sign-on and Office integration (you don't need to re-athenticate as you launch Word, Excel, PowerPoint, etc. from SharePoint), it has some drawbacks from a security perspective. If your Extranet is more about providing a secure web experience than Office integration, you probably don't want the persistent session. Thankfully there is an easy solution to the session persistence, in the form of a number of PowerShell commands we'll get to in a minute.
The other part of the problem is the 10 hour session. Again this is convenient, but not neccessarily best practice for all secure Extranets. You can shorten the session, but what we found was that it didn't slide. What this means is if you shorten it to 10 minutes, at 10 minutes your session will expire and you'll be force to re-authenticate, even if you were constantly using the site throughout those 10 minutes. What we wanted was for the session to expire after 10 minutes of inactivity. ...