I'm thinking of using cron and reading the files' dates

That's exactly what I do. Works like a charm.

Sample code:

    my $tmp_path = "/tmp/myapp";
    my $max_age  = 60*60*24;    # e.g. one day

    my $t_keep = time() - $max_age;
    my @stale_sessfiles =
        grep { (stat $_)[9] < $t_keep }  # files older than $t_keep
        glob "$tmp_path/cgisess_*";

    # print STDERR "$_\n" for @stale_sessfiles;  # debug

    unlink @stale_sessfiles;
[download]

Thanks for your code :) You wrote "Sample code". Does it work as it? Do I have to make changes to it?

Well, you might need to adjust $tmp_path and $max_age, and then configure things to have it run via cron.  You wouldn't risk much just giving it a try :) — there really isn't much to it, after all... And in case you're paranoid, you can always first comment out the unlink line, and uncomment the debug print to check what would be deleted...

That's the only way that I know to do it. However, it is partly for this reason that I use an SQL database to store session information. Not only is it tidier than "files," but it also gives you a very-direct way to store ancillary information such as expiry-dates.

I do know that PHP's session-handler provides a way for you to set a random (small...) probability that session-file cleanup should be done automagically. At random intervals, someone somewhere gets stuck with the job. Personally, though, I think that a cron-based process is fairer and cleaner.

Often in a CGI web application a user's session outlives several program invocations. It's important not to log a user out of a web application before the stated session time limit. Users are fickle beasts with a ravenous appetite for support techs. Please don't taunt them with easy access to the support department through a bug report.

For temporary files that really don't outlive a single program, File::Temp can give you an open file handle for a file that will automatically get cleaned up without predictably placing the PID number in the file name. Temp file naming collisions are a security risk.

if (int(rand 5) == 1) {
   $self->log->info('Purging old sessions from the DB');

   CGI::Session->find('driver:sybase', sub { }, {
      TableName => 'sessions',
      Handle => My::DB::Module::get_handle()
   });
}

UPDATE: Just noticed you were referring to file-based sessions.. Haven't tried this approach there..

#! /bin/bash
rm $(find /path/to/session-files/ -mtime 1)
[download]