I have this code in my web.config:
Windows Authentication Timeout:
If the users are logging onto a windows environment and it is controlled by active directory (domain) there is the chance that there is a domain policy in place to log the user out of the "windows session" after so many minutes of inactivity, this would be done for security reasons. I think your next step would be to talk with whoever is in charge with the windows network and pass it off to them.