Assuming that you are using Default implementation of Session stored on SQL Server. Please check that the entries in the ASPStateTempSessions table are removed after the related sessions have exceeded their expiration. If it is not removed that check that SQL Server Agent is running or not. This expiration mechanism has been implemented as stored procedures/Jobs, DeleteExpiredSessions is the SP that is responsible for expiring the session.
Usually we configure session state in following way in Web.Config
<sessionstate>
mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
cookieless="false"
timeout="60"
/>
</strongpassword></username></sessionstate>