You should use both methods and have a session timeout as short as users will put up with. Sessions timeout on a lack of activity, not since the initial cookie was set. If you are actively using a site a session can continue or renew without the user having to login again. Try something like 10 minutes (600sec) to 20 minutes.
