When a user logs out, IIS sometimes releases the session and associated memory (visible in your monitors.axd) immediately. Whereas other times it will not flush the modules and therefore hold onto the memory for a certain period of time, and eventually flushing those (but sometimes taking up to an hour to it clear out).
The session handling is performed by Microsoft ASP.NET. The timeout settings which you can influence are not max- but min-times for the session to be kept open. Also, most of the time the session will be closed around the time set, that cannot be taken for granted.
Especially when the server is on a high load, the session handling as a less important process of the operating system, can be deferred. The settings which are recommended by us serve a stable operation. If for example, the sending of a shopping basket takes a bit longer, these settings guarantee that the connection to the database will not be closed in between.
Our recommended timeout value for sessionState is 35.