[eluser]WanWizard[/eluser]
You can set the session expiration to 20min by assiging the value 1200 to the 'sess_expiration' config value.
Your controller should then check for a logged-in state (a session variable), and if not logged in, redirect to the login page. If this is true for all your controllers, you can use a MY_Controller extension, and do this check in the MY_Controller constructor (make sure your controllers extend MY_Controller instead of Controller).