In my experience, you’re best to store a timestamp in the session itself and to use that to determine whether to expire the session via your own code, rather than rely on PHP’s session expiry. I’ve found that it doesn’t always behave quite as you might expect.
You may want a session to expire a certain time after it was created, or you may want it to be after a specific amount of inactivity. You can pick and choose by just deciding when to update your timestamp. You can also more easily set different session lengths for different users if you like, too.
It requires that you code the solution into your site, rather than use the built in session expiry, but it’s not a lot of work and it’s worth doing IMO