phpBB's manual states that sessions are based on more than the session ID in your cookie. As an extra measure against
session hijacking (e.g. Firesheep) and
session fixation, an administrator can set phpBB to validate your public IP address (/16, /24, or the whole thing), the
User-agent and
Referer headers provided by your browser, and the
X-Forwarded-For header provided by a proxy. This means if your DHCP lease expires and you get a different IP address, you might get logged out. Or if you're behind a carrier-grade NAT (common in developing countries and with wireless ISPs) or a transparent proxy (which AOL dial-up was notorious for using), you might get logged out.
NESdev BBS is currently set to these security settings:
- Allow persistent cookies ("Keep me logged in"): On, no expiration
- Restrict a session to a /24's worth of public IP addresses (such as 123.45.67.xx)
- Validate User-agent
- Do not validate X-Forwarded-For
- Validate hostname in Referer of POST requests
And these load settings:
- Users disappear from "Who is online" after 5 minutes
- Sessions expire after 1 hour (I'm not sure if this is an hour after login or an hour after last page view)
And obviously, if you're using private or incognito mode, your browser will toss your session cookie more aggressively.