Do both.
Option 1 limits the amount of time a hacker who somehow manages to steal
a cookie has to break into your site as well as limiting the ability of someone
to sit down at that person's desk and use your site.
Option 2 limits the ability of someone sitting down at that person's desk and
start using their logged in session.
Accomplish option 1 with the following parameters from parameters/site.tcl
ns_param SessionTimeout 7200
ns_param SessionLifetime 10800
and option 2 with this parameter
ns_param PersistentLoginDefaultP 0