PHP

Do I understand the secure approach to session management correctly?

Good day.
It is no secret that the standard session mechanism does not provide protection, which makes it necessary to create it. An article from the php community suggests managing sessions based on timestamps. What does it mean?
I understand it as follows (of course, strict_mode for sessions is enabled):
- the sessions table is created, each session of the logged in user associated with it is written there, + the time of its creation.
- if there was a disconnection, the session is broken, we wait 5-7 minutes before marking the session inactive, if the user appears at this time, we restore the session
- session cookies live only one session (meaning the browser session), the actual session on server live as little time as possible
- session id changes every 15-30 minutes during the session, written to the database, old IDs are marked as inactive
- sessions marked inactive are deleted from the database only if the session file is deleted by the garbage collector
- accordingly, we stop attempts to knock on the session that already exists in the database and marked as inactive
- we also stop attempts to knock with a session that is not in the database (if all new IDs are created by the server, this is probably an attack)
Is this approach to managing sessions correct, or have I missed / misunderstood something?
Thanks in advance.