I see now that this is determined by the settings in Admin Area -> Preferences -> Security and Protection.
I have "User Tracking method" set to "Cookies", and below that I see the "Session Lifetime" set to 86400 seconds (24 hours).
I have "Cookie/Session name" set to (for the sake of the discussion) "my_cookie".
Curiously, looking at Firefox's "Storage Inspector" tool (Tools -> Web Developer -> Storage Inspector), I see a cookie named "my_cookieSID" (I note in session_handler.php, in the constructor for the 'e_core_session' class that 'SID' is appended to the cookie name, so that's where that comes from), but the "Expires on" value lists datestamp which is only one hour forward in time, rather than the 24 hours specified in Preferences. And, indeed, my session seems to expire after 60 minutes, so I'm not quite sure what is going on there. Looking in "php.ini" I see that "session.gc_maxlifetime" is also set to 24 hours, so that doesn't seem to be a factor.
Edit: I see that in sessiion_handler.php, the $_options array for the e_session class has a default value of one hour. But I've put error_log debug statements at every location (that I can see) in the file where the 'lifetime' field is assigned, and they all show 86400 seconds. Confused at present about how the cookie is being set to expire after 60 minutes.