The shopping cart flow relies on certain data stored as session and cookies. How long this data remains available depends on all of these factors working together.
Cart session
The cart specific session stores long-lived data relevant to products added to the cart only. To configure a longer duration, simply change the Session timeout value (seconds) under Configuration > Cart settings. This is a sliding expiry, which means as long as the customer continues to interact with the shopping cart, it will extend the session for another period. It's recommended to keep a long session timeout such as 2,592,000 seconds (30 days).
General session
The general session normally stores any short-lived data such as page state, ongoing transactions, etc. To successfully complete a checkout, the general session data must be available throughout the lifecycle of a checkout. Generally, if your site offers only on-site payments, the session timeout can be reasonably short. If, however, you offer an off-site payment method (e.g. payment redirects to external site such as PayPal or payment hosted in an IFRAME), you need to ensure the session remains available for a much longer time. The reason is the amount of time the user spends on the external site can vary tremendously beyond your control. Furthermore, certain payment methods may take many hours to confirm back the transaction. Therefore, you need to make sure the customer's session remains available when he is redirected back to your site to complete the checkout transaction.
The general session timeout depends on the <sessionState> configuration in your web.config file. This is a sliding expiry, which means as long as the customer interacts with the site, his session will remain alive for another period.
<sessionState timeout="360" />
It's recommended to set a longer timeout value such as 360 minutes or longer to prevent losing a user's session to increase your chances of a successful checkout.
Authentication
The forms authentication determines how long a user remains logged in. This is configured by the <forms> configuration in your web.config file using the timeout attribute value in minutes. The slidingExpiration determines is the timeout should be extended by another period if the user interacts with the site. By default, this value is set to false, if unspecified.
<forms timeout="60" slidingExpiration="true" />
It's recommended to set a longer timeout value such as 60 minutes or longer with the slidingExpiration enabled to prevent logging out too frequently.
Please note this value normally does not affect the shopping cart flow unless the Session logout is enabled under Configuration > Cart settings. If enabled, the cart session will be removed when the Storefront detects that the user has logged out. It may also affect the checkout if the timeout is exceedingly short.
Application pool
The application pool is the host process of the Web site. If you configured the application pool to automatically shut down after a short period of inactivity or automatically recycle every fixed time, users who suddenly return to your site may find their sessions are lost. It's recommended that you disable the idle timeout (or use a ping service to keep your site alive) and recycle infrequently only during off hours.