Are you making the proper distinction between timeout of the appserver Session object and a timeout for a Session
EJB? They are really two different kinds of things.
The actual persistency for a Stateful Session EJB is handled by your activate and passivate code, which is called when the bean itself is being recycled. By default, most EJB servers maintain internal consistency with the backing store but not with any updates or deletions to that backing store from external sources (this way they can avoid the overhead of monitoring for external changes).
Although there are many who disagree, I recommend that you use Entity EJBs for DBMS-backed objects rather than Session EJBs. After all, they are designed to provide the session EJB functionality plus be more aware of persistency concerns.
If you're a purist (or expect a lot of changes in the system) put business logic in a Session EJB and have it reference Entity EJB(s) for the persistent data.