User session is not expiring in SDL8.5 CME and there is no mechanism to logout users after stipulated time. Of course, there is a variable called 'accessTokenExpiration' that define how long a token is to be expired, but the current CME implementation will automatically refresh the token if expired. So at the moment, there is not any setting that you can use to expire a session after some idle time.
Consequently, this is captured as a risk in our internal audit. It is recommended to have controllable session like other web applications to comply with regulatory requirements. Based on our findings, it is same with SDL 9.1 as well. Since we are encouraged not to do customizations, SDL may add configuration settings in the product itself for session time outs in next/future release.