I'm not sure what you mean by sessions in the Web context. There aren't any. What you get is a page request, which is broken down into requests for each of the page components (images, etc.) Once the request has been served, that's the end of the interaction between server and client. Even if the browser is closed down, the server can't tell.
The user may then be reading the page, having a coffee, off in a meeting somewhere or, indeed, reading a different page in another tab or browser.
At some point the user clicks on a link or types an URL and requests another page from another, or the same, server, but that's not part of any session.
Which, of course, is what you have to work around to create a Web "log-in". Normally logging in means opening a session, but there aren't any, so you have to mimic it, which means, directly or indirectly, passing the authorisation (username/password/whatever) back with every request.
In Web analytics, it's usual to assume that a sequence of page requests to the same server, each separated by no more than x minutes, is a session, which really just means a sequence of related behaviours. x is chosen arbitrarily.