I tend to agree with respect to machine sessions where tokens are handed around and persisted and the cost of reauthing bothers no one. Sessions should be as short as is reasonable for performance.
For human applications you should generally not expire general access but expire leases to critical actions. Generally there are more and less sensitive realms of actions and read that a user can do, with a non linear continuum of risk and user pain. Logging in and browsing your content - fine. Mutating, deleting, viewing sensitive like credentials, creating new credentials, changing credentials, etc - reauth either every time or with some short window like 5 minutes.
For human applications you should generally not expire general access but expire leases to critical actions. Generally there are more and less sensitive realms of actions and read that a user can do, with a non linear continuum of risk and user pain. Logging in and browsing your content - fine. Mutating, deleting, viewing sensitive like credentials, creating new credentials, changing credentials, etc - reauth either every time or with some short window like 5 minutes.