[throwaway03626]

One difference is that Slack would not work if it logged out automatically after 15 minutes of inactivity. They would lose most of their customers. The only realistic risk to the user from Slack's point of view is that when the user walks away without locking the computer, someone might read or write Slack messages.

Sensitive applications still lock after X minutes of inactivity even on desktop, because the impact of someone else using your computer carries too much risk. One example of this is password managers, where they sometimes require a password or a biometric to unlock after a short period of inactivity.

You'll see the same pattern in web applications. I haven't used the web version of Slack in a while, but I remember that it didn't force me to login that often.

I think one of the reasons why many choose to have a short session expiration time is that they either can't or don't dare to do a proper risk assessment and just does what their competition seems to do.

There may be technical reasons too. Web applications do have a higher risk of accidentally leaking passwords through low security and hostile actors. Reducing the TTL may not fix the issue, but it will at least reduce the window where an attacker can make use of a stolen token. It may not matter much if you have a dedicated attacker, but it at least adds some resistance.

Creating a secure application takes time (acceptance from business) and experience (junior developers) and many don't have either.