These are the files visitor and login sessions are stored in. They should be cleaned up by the php environment, but it is not unusual for that to fail or to not be configured on the server or to be prevented by file permissions. Your first call should be to work out why the environment is not cleaning them up automatically.
You can just delete the entire directory content from the SSH command line, or delete all that are more than 2 weeks old (depending on your CLI skills). If you delete all, then all current users end up logged out and visitors forgotten.
Some sites with this problem handle it with a shell script to delete > 2 weeks old and run that through cron.
There may be someone who has posted a concrete automated job you can install to the site to do similar. I had one for 5.6, but it is not suitable for installing on v8.
That was much as I suspected. I’ve already mentioned to the web host that I think it should perhaps be a cron job. I’ll explore further. If php doesn’t deal with it, and/or I can’t get it done by cron, I guess I’ll have to run a clean-up script via ssh. Not hard, but a nuisance.
I’ll start by feeding this information to the hosting provider as I suspect they’ll have a number of sites with this issue. If they can’t or won’t do anything, I’ll definitely try that.
Assuming you are on shared hosting, this is really something your hosting provider should help with. In my experience, the hosting provider will usually have some sane default settings already for garbage collection.
If your account uses cPanel, you can use the PHP INI editor to set these values.
Then add this to your cron jobs (SSH crontab -e) or through your hosting control panel (modified for your directory structure), -mtime 14 is for 2 weeks: