You can use the gc_maxlifetime configuration directive to determine how long after the last access to this session the data should be destroyed. This is used because the server doesn't know whether the cookie still exists on the client side. However, performing such a cleanup of old sessions (called "garbage collection") on every page request would cause considerable overhead. Therefore, in tangent with the gc_maxlifetime, you should use gc_probability. This specifies with what probability the garbage collection routine should be invoked. If gc_probability is 100, the cleanup is performed on every request (that is, with a probability of 100%); if it's 1 as by default, old sessions will be removed with a probability of 1% per request.
