Drupal have session-handling settings in the following three cases:

1. In .htaccess file
2. In settings.php file,
3. In bootstrap code in the includes/bootstrap.inc file.

In .htaccess
Drupal has full control when sessions start by turning off PHP’s session.auto_start functionality in the Drupal installation’s default .htaccess file with the
following line:

php_value session.auto_start 0

session.auto_start is a configuration option that PHP cannot change at runtime, which is why it lives here instead of settings.php.

In settings.php
You can set most session settings within the settings.php file, located at sites/default/settings.php

ini_set('session.cache_expire', 200000); // 138.9 days
ini_set('session.cache_limiter', 'none');
ini_set('session.cookie_lifetime', 2000000); // 23.1 days
ini_set('session.gc_maxlifetime', 200000); // 55 hours
ini_set('session.save_handler', 'user'); // Use user-defined session handling.
ini_set('session.use_only_cookies', 1); // Require cookies.
ini_set('session.use_trans_sid', 0); // Don't use URL-based sessions.

Having these settings in settings.php instead of .htaccess allows subsites to have different settings, and allows Drupal to modify the session settings on hosts running PHP as a CGI (PHP directives in .htaccess don’t work in such a configuration).

Drupal uses the ini_set('session.save_handler', 'user'); function to override the default session handling provided by PHP and implement its own session management;
user-defined in this context means 'defined by Drupal'.

In bootstrap.inc

PHP provides built-in session-handling functions, but allows you to override those functions if you want to implement your own handlers. PHP continues to handle the cookie management, while Drupal’s implementation does the back-end handling of session storage.

The following call during the DRUPAL_BOOTSTRAP_SESSION phase of bootstrapping sets the handlers to functions in includes/sessions.inc and starts session handling:

require_once variable_get('session_inc', './includes/session.inc');
session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write',
'sess_destroy_sid', 'sess_gc');
session_start();

This is one of the few cases where the names of the functions inside a file don’t match the file’s name. You would expect the preceding functions to be session_open, session_close, and so on. However, because PHP already has functions in that namespace, the shorter prefix sess
is used.

Notice that the file being included is defined by a Drupal variable. This means that you cancleanly implement your own session handling and plug that in instead of using Drupal’s default session handling. For example, you could implement the sess_open, sess_close, sess_read, sess_write, sess_destroy_sid, and sess_gc functions to use an in-memory database and save the code in a file called inmemorysessions.inc. Setting the session_inc Drupal variable causes

Drupal to use your code for sessions:

<?php
variable_set('session_inc', './sites/all/inmemorysessions.inc');
?>