Timeouts and session management in internet services were usually based on user name and password. The logout mechanisms of user session expiration were also calculated traditionally. The biometric solutions make a substitute for username and password with biometric data, but it is still not sufficient for user verification. The length of the session timeout will have greater impact on client satisfaction and service quality. This makes user identity immutable. This paper provides promising alternatives by using biometrics in session management. This is accomplished by using a secure protocol for authentication through a unique type of continuous user verification. The protocol calculates adaptive timeout based on the biometric data and its frequency that is transparently acquired from the user.