There are several possibilities, I will list the most common:
Your server (StateServer) is being restarted and you are saving the sessions in memory
Your database storing sessions is being deleted (somebody cleans it) with some frequency
The user is using the incognito (anonymous) browsing mode of browsers
The user is clearing cookies and sessions manually or the browser is configured to do this when closing
User is switching browser (session is not kept between browsers)
At some point in your code you can have a Session.Abandon() or lougout
In%% of you can put error handlers to catch exceptions that are not being handled and catch some error that may not be being reported or detected.
Complementation
The session may be configured differently in the authentication part and in the HTTP part, within its global.asax . I'm gonna explain. See the following example of web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<sessionState timeout="20" mode="SQLServer" cookieless="false" sqlConnectionString="data source=servidor\SQL2012;user id=user_aspstate;password=aspstate"/>
<authentication mode="Forms">
<forms name="MeuAuth" loginUrl="Login.aspx" path="/" timeout="10000" protection="All"/>
</authentication>
</system.web>
</configuration>
Notice that the authentication timeout is 10,000 minutes! The default value for this property is 30 minutes. The sessionState is configured with a timeout of 20 minutes, which is already the default value that .NET places for this property. If the form has a shorter timeout than the sessionState it will happen sooner. And it may be that your web.config has this problem with different values.
