I would think that during QA testing you will track the average length of time that a user needs to complete a task on a site. Given this average, you will adjust and determine the standard deviation accordingly, using this to create a good timeout.
Example.
To complete the task, the user needs an average of 5 minutes. Say your SD is 2, so you will have 5-2SD at the lower end, so one minute and 5 + 2SD at the upper end, so 9 minutes. Take the top end and display a warning that the user is about to log out, and then wait one minute and automatically cancel them.