There is a session expiration time that controls the login time (time session is active) in case customer do not log out.
It is set in the admin settings, but it is also related to PHP session expiration time configured on the server.
If you access from any different browser, device, phone, computer, etc. there will be new session and you need to login again.
This is pretty standard in all applications.
Please explain where you see a security issue?