Session expiry: after the date/time set in the cookie the browser will no longer send this cookie through headers. When PHP receives no session information through a cookie, a new one will be started. On default PHP-installs, session expiry is set to session (confusing isn't it?) , which means 'as long as the browser is not restarted'.
Session timeout: after this date/time the system is allowed to remove saved session data from storage. Session timeout gets renewed by new requests to PHP (or to be more precise: when session_start() is called).
Normally, one leaves session expiry at default, so new sessions are started when the browser is (re)started. Session timeout is used to enforce how long session data should remain in storage. Once session data is removed from storage, PHP will get empty data. Your session handler should set defaults when this happens (which it should anyway, because starting a new session requires the same).
There is no 'best' session timeout setting. PHP defaults to 24 minutes (1440 seconds). Just try to find out how long visitors can take between requesting pages. For instance: if you are certain that a visitors request at least 1 page every 5 minutes, setting the timeout to 5 minutes seems reasonable.
