There is something either in the server (Apache) set up or in php.ini that determines how long your session files live for before being deleted but I don't remember off hand where.
However, I handle this myself another way. I just have a variable saved along in the session array $_SESSION, for example $_SESSION['lastaccess'], which holds the time of the user's last page request. Each time the user makes a new page request, the current system time is compared to this session variable, and if the difference is larger than my allowed time out, I log the user out and present the user with the login page. If the time difference is smaller than the allowed time, then I set $_SESSION['lastaccess'] equal to the current time and serve the user the page he/she was asking for.
The reason I do it this way is because I do not just log the user out and destroy the session file, but I serialize the user's $_SESSION and $_POST arrays and store them in a database table. When the user logs in again, I check to see if there is an entry in this session-storage table for this user, and if so, I actually reconstruct where the user was trying to get to, and then remove the row for this user in the session-storage table.
In this manner, I effectively log the user out if the user is away from the computer for too long, but the user does not lose any work that he/she was doing. Because when the user successfully does log in again, the session and the page request is effectively restored, as if the user never was timed out.