Are longer session lifetimes dangerous?

Well in fact you have a remember me feature, should use it instead for the user who want the keep an active session.

Basically it is not dangerous for your application, it is more for the user, if they forget to logout. In fact, you can enable the feature to remove session after browser/window closing. Equally it can reduce the quantity of active sessions, because many of them aren't really from active users.

Agree that it may not be dangerous but it depends. Obviously if a user walks away and someone else gets on the pc (think Internet cafe, family pic, library etc). Some looks up history in the browser and even though the actual user didn't log out, but also didn't check remember me (defaults to one month I believe) they next user is on the account changing passwords or worse if they have some type of admin access.

I agree with @juandmegon and @jekinney , it might not be dangerous to the application, but you can use lockscreens, I always to this, I think of it as an extra layer of security to protect users accounts, where you ask the user to re-enter his/her password again to restore their session, I do this when the user uses the system after 2 hours of inactivity or when updating email or password and there is one more check when accessing the admin section for the first time in current session or after 30 minutes of inactivity.

@moharrum could you share some details on how you've implemented this?

@Juukie , I basically log the activities of the users in a db table, querying these logs and using some date/time calculations I can figure out which user to to send to the lock screen using a middleware.

But you don't query the logs on every request I guess?