We had a discussion a few months back with some of the guys from Magento regards an Enterprise client we had. One of the server recommendations they noted was:
improper PHP session.gc_probability parameter value (0) on the web server, resulting in automatic session files deletion not working!
Intrigued by the comment I did some research and found that on Debian Squeeze (bug 388808 and 321460) the default is 0 - zero meaning that it will maintain all session files. We even had to make a script that cleared the millions of the session files (see blog listings "rm: Argument list too long" and "rm: Argument list too long - improved speed").
Even on some of our existing PHP installs the original, incorrectly set, php.ini rarely gets updated. This results in the following remaining:
session.gc_probability = 0
Which should be set as:
session.gc_probability = 1