Our enterprise follows the OWASP session expiration policies:

"Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications"

We would consider 15-30 acceptable.

There should also be an absolute timeout:

"All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active, closing and invalidating the session upon the defined absolute period since the given session was initially created by the web application. After invalidating the session, the user is forced to (re)authenticate again in the web application and establish a new session."

We would consider 10 hours as preferable but up to 18 hours acceptable.