Session Hijacking

[Frank Oz <jedi31337 () gmail com>]

Just a quick question as I'm preparing a Web Portal document and wanted to
include some security pieces. This customer wants to have a 2-6 hour or even
umlimited timeout set for their user when they disconnect, because
they don't want to re-login every time.

If a user closes his browser and the session stays active, what else can a
hacker achieve during this time ?

Thanks for the help in advance !