Depending on the server that you are using, you can force the session cookie to expire after a fixed interval. In Weblogic you may specify the cookie-max-age-secs in weblogic custom deployment file - weblogic.xml
If you don't want to touch the session cookie, you can store a separate cookie at login that defines your time limit as the max age of it. Use an intercept filter that checks the availability of that cookie and invalidate the session when that cookie is not available.
where the timeInSeconds will be the value after which the refresh has to occur. So if you are proposing that you would give a value of 15 minutes (15*60), then it would work only if the user is inactive for that period. However if the user continues to interact with the server within this 15 minute period, the session will never expire.
Also if you do go down this path, remember to invalidate any existing sessions in the login page.