We don't touch the session expiration time when a user makes a request, so 20 minutes after the user logs in (regardless of how active the user is), the session will expire. We need to advance the expiration time on every request.