The common approach is to have a timeout/end date and/or a date of last contact stored in your session. If the timeout or date of last contact is too long ago, the session is considered invalid and you need to enter your password again.