PHP sessions never expire

PHP Sessions use a cookies to keep the session alive. The default value for the cookie lifetime is 0 (session.cookie_lifetime) which means that the session will be valid for the amount of time the browser is open.

You can change this value by using ini_set (before starting the session) or by using an .htaccess file with the following line:

php_value session.cookie_lifetime secs

More information: http://us3.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime