Google Analytics uses a permanent cookie (i.e. one with a long lifetime that is renewed every time the visitor returns) and you cannot configure cookie lifetime in Google Analytics. The cookie stores a client id and is required to recognize recurring users; your client will not be able to recongize recurring users or to create user based segments. I doubt that GA makes that much sense under the circumstances.
What you can do is to configure Google not to set cookies at all by setting the "storage:none" option when you create the tracker. Then you could set a client id for the session in a session cookie, and pass the value as client id to the tracker.
ga('create', 'UA-XXXX-Y', {
'storage':'none',
'clientId': 'value from the cookie'
});
Btw. German law does not require you to use session cookies only (you need to provide a comprehensive privacy policy, an opportunity for an opt-out from tracking and your client needs an agreement with Google pertaining to the processing of data on behalf of your client, a "Vereinbarung zur Auftragsdatenvereinbarung". Google provides a document that you just need to sign. And you must not save personally identifiable data). So this is probably just your client being a bit overcautious.