As far as I noticed, both the session cookie has a lifetime and the entry in the mysql session store of this module.
Must both expiry times have the same value or is one of them unnecessary?
As soon as I call a session destroy both variants will be removed anyway, both database entry and cookie, but how is it when the expiration period is exceeded?

Thanks!

The expiration of the session in your database applies server-side. This module has a function that clears expired sessions at a set interval - the time between checks can be configured. If the server deletes a session record from the database, the next time that the client with the corresponding session cookie visits your website, the server will not be able to find its session in the database. So the server will generate a new session for that client.

The expiration of the session cookie applies on the client-side (browser). Once a cookie has reached its expiration time, the browser should delete it. The client will no longer send its session cookie to your server. The next time that client visits your website, the server will create a new session for that client.

I was confused about this too. To clarify,

Hopefully I am understanding correctly. I spent a while trying to figure out why the expires field kept on creeping forward while the session was never being modified or touch()-ed anywhere in my code. Then I realized I should instead be checking data.cookie.expires to find out how much time the user had left.