The session module is designed to provide the ability to manage sessions to allow data to persist between HTTP requests. It is not designed to have reliable expiring or any authorisation features. This is the job of modules built using the session module. An example of such a module is the auth module.
Session files using the
file driver should not be given public write access as a carefully constructed pickled file could execute