Note: You are currently viewing documentation for Moodle 3.3. Up-to-date documentation for the latest stable version of Moodle is probably available here: Sessions FAQ.
What is the purpose of Sessions?
Web applications are "stateless". That is, by nature, any information stored in program variables is lost each time a script completes. That happens on every page. So for anything other than completely trivial scripts you need to have a way of storing information for that user for the current login. There are various ways to do this but the simplest is an implementation of PHP's native $_SESSION array that will keep information for a particular user on the same PC for a short period of time.
What information do they hold?
Sessions hold a range of information. The fact that you are logged on, your user profile, etc. Anything that needs to be available on all Moodle pages quickly.
How are they constructed?
It's a PHP thing. It's very simple. Moodle issues the session_start() 'command' and then access PHP's $_SESSION variable. The contents of that automagically persist in a written file/database/memcached server.
How long should they be retained for?
There is no reason to keep them beyond the current, well, session.
Do I need to include them in my site backups?
No, not at all. The information required is for the immediate purposes of Moodle and is not required beyond that.
Do I need to delete them?
Session files should automatically be deleted when they are no longer needed. If files are building up you should look into why.
How do I delete them?
It's not very elegant, but at quiet times you can simply delete the sessions directory in moodledata. The worst that will happen is that anyone logged in gets thrown off. A slightly more elegant solution would delete any files in that directory more than a few hours old.