The SessionMaxAge Directive is reset at every request. While this is reasonable for a lot of usecases, company policies often require that sessions are terminated after a fixed time no matter what, even if the user is still online/working. I therefore propose a new directive to specify an absolute SessionMaxAge. When a session is saved, this time limit is NOT reset/updated. As an alternative you could allow to redefine current behavior with a flag. This would not break existing configurations, but it would be less flexible. Some companies require even both, that sessions get destroyed after a fixed time AND that sessions time out.