When does a web server clear the PHP session identifier?

It's a little more complicated than just "when it's cleared"

A session has a lifetime in PHP. The default is 24 minutes. That means that after you connect to a website, your session is valid until

• You close the browser (which won't be simulated with cURL unless you just drop the cookies)

  OR

• 24 minutes pass

Each time you load a page and the server calls session_start() that expiration time will be bumped an additional 24 minutes (technically speaking it's actually bumped 24 minutes at the end of the script execution on pages where session_start() is called).

When that cookie actually expires, your session is no longer valid, and $_SESSION will be empty on the server side. But your data is still on the server until the next time that the server performs a session garbage collection cycle to clear out expired sessions which, depending on the session handler in use on the server, may or may not actually delete your data. A bank, for example, might send the data off to an archive server in case they ever need the records.

The server removes the session after the session timeout-time has passed after the last request. This is by default 1440 seconds (24 minutes), it can be changed in php.ini file.

The session is not flushed serverside on closing the browser, the client loses his session data though, since the browser deletes his local memory of the session. But if you keep your sessionid somewhere safe you can use it later on again, if you stay within the timeout frame of course.

This is exactly how session hijackings work, they get your sessionid in some way and can then set this sessionid on their own machine and continue your session.