Session expiration equals session _cookie_ expiration.
By default the cookie has no expiration date, which means it expires when the user closes the browser. You can set a fixed expiration window with
ActionController::Base.session_options[:session_expires] = something
and dynamic expiration with this plugin
http://agilewebdevelopment.com/plugins/dynamic_session_exp
The very database cleanup has to be done by hand. Just put a cron task that deletes old records in the sessions table.
-- fxn