Let's consider situation implementing session and cookie-based login and logout function from scratch, we store session id and user information corresponding to session id on the server side (memory or database, whatever), but if the user doesn't explicitly logout and do not call method like "invalidate", then how should we remove the session id and session data pairs left behind in server side? (assuming cookie has expired on the client side, so that session id might not be passed anymore), should we run some kind of batch job periodically on the server to check the expiration of the data left behind and remove them all at once?
I'm implementing it for studying, and I don't know what the best way to do it is in this situation, so I'm asking.