The problem with the session timeout is that it is regenerated on each page load. The timeout I'm referring to would only regenerate when the user enters their password. You could easily do this by storing a session variable when the user enters their password:
Then simply check if $_SESSION['auth_until'] > time(); if it is, then the user is still verified.
$_SESSION['auth_until'] = time() + 15*60; //15 minutes from now
Since you're using "remember me" functionality, the standard rules for session expiration break horribly (i.e. there effectively is no expiration) and thus you can't rely upon them. Although in point of fact I do use a similar 15-minute window on sites that don't use a "remember me" feature to help mitigate the damage of a successful session hijacking (that is, even after a user logs in they have to effectively log in again to do anything with their account settings).
Edit: I'm not at all advocating that you log a user out when the auth_until timeout is reached, merely that you block access to sensitive information such as account settings until the user re-enters their password, at which point you refresh their auth_until timeout.