The default PHP sessions work perfectly well with TOR. There is no need to change anything.
All other questions are not related to TOR, but are subject to the usual considerations when using sessions. Do you want a login to expire after a certain inactive time? If yes, you have to implement that yourself.