[cgiapp] Understanding sessions

[Brad Cathey]

Hello,

Though I'm been using CGI::App for a few years, this will sound like a
newbie thread, but bear with me--your help will be greatly
appreciated.

I'm still trying to understand queries, sessions and cookies.

First, I have read the CAP::Session docs several times and my
understanding is: (and correct me here):

1) C::A does not naturally create a session unless there is an
explicit reference to 'session', e.g., $self->session->param('userid')
2) sessions need cookies or id (that would have to be stored in a
hidden input field to maintain state)
3) unless explicitly set to false, a cookie is automatically created
when a session is created
4) the parameters for that cookie are defaulted unless cookie
parameters are explicited given
5) sessions are stored in /tmp on my server, but linked by id to a
cookie or param that I pass back and forth to my page
6) $self->query->param('userid') is not a session, and is only
applicable for that instance, or until another header is sent to the
browser
7) sessions are not deleted unless explicitly called:
$self->session_delete, however cookies expire automatically

Here's my challenge:
I have an application built on C::A and HTML::Template that starts by
displaying a login page when landing on the site, if they are not
already logged in. Of course, when checking the login param, a session
is created. If they never log in, that session is just left sitting in
/tmp. My /tmp directory is filled with thousands of sessions that are
not getting deleted.

Questions:
1. how can those unnecessary sessions be deleted?
2. where are the actual session->params stored?

Thanks!
Brad