User session idle timeout
There does not appear to be any idle timeout for user sessions, including those of administrative users (or if there is, I have never seen it in my own testing meaning that it must be in excess of 8 hours).
Ideally this should be a configurable value, but failing that, an inactivity timeout of 1 hour or less should be enforced for administrative accounts at the very minimum. To do not do so is a significant security risk and would definitely be flagged on a penetration test, especially considering the personal data that administrative accounts have access to.
I know there is always a trade-off between usability and security, which is why it would be preferable if the timeout was a configurable value, but a session inactivity timeout that is either entirely absent or lasts many hours is not something I consider an acceptable position given the nature of the application.