I am not sure why the data is needed for this method if it only updated the timestamp only.  Otherwise wouldn't his be the same the 'write' method? I think it is confusing and the manual unfortunately doesn't give much information about the whole session mechanics.

When session.lazy_write is enabled, which is the default behaviour, session data will NOT be UPDATED if it remains unchanged, in this way the WRITE method of the session handler will not be called at all.

If your session handler storages session data into files, UpdateTimestamp is used to update the "last modified time" of the session file, if your session handler storages session data into a database, UpdateTimestamp is used to update the table field that storages the last modified time of the session registry.

This is largely speculation based on what I can see in php-src - it appears that  the `$data` argument is included for two reasons:

1. If you subclass `SessionHandler` and implement `SessionUpdateTimestampHandlerInterface`, your `updateTimestamp()` method may be called - but you can't call `parent::updateTimestamp()` because that method isn't implemented on `SessionHandler`. So instead you must call `parent::write()` which means you need the data to avoid overriding it with a blank session.
2. This simplifies the source code for PHP, since depending on whether there _is_ data and whether lazy `session.lazy_write` is enabled, either this method or `write()` will be called when the session is closed. Having the same arguments means only the name of the method being called has to change, not the arguments.

The second reason feels a bit flakey so I don't trust my own reasoning there. But the first reason seems sound.

Example of using $sessionData available in updateTimestamp function.

This is useful when we try to use cookie as a container to save session data.
In cookie we need to maintain the access timestamp on similar lines of access time of file.

Here we have session.serialize_handler as php_serialize to use serialize() and unserialize() for session encoded data.

<?php
    public function updateTimestamp($sessionId, $sessionData)
    {
        $sessionDataArr = unserialize($sessionData);
        $sessionDataArr['_TS_'] = $this->currentTimestamp;
        $sessionData = serialize($sessionDataArr);

        $cookieData = $this->encryptData($sessionData);
        if (strlen($cookieData) > 4096) {
            ob_end_clean();
            die('Session data length exceeds max 4 kilobytes (KB) supported per Cookie');
        }

        return setcookie(
            $name = $this->sessionDataName,
            $value = $cookieData,
            $options = [
                'expires' => 0,
                'path' => '/',
                'domain' => '',
                'secure' => ((strpos($_SERVER['HTTP_HOST'], 'localhost') === false) ? true : false),
                'httponly' => true,
                'samesite' => 'Lax'
            ]
        );
    }
?>

'validateId' is called after 'open' and before 'read' to validate the session id provided by the client, as 'open' -> 'validateId' -> 'read' -> 'write' -> 'close' are called in sequence.

If 'validateId' returns false, a new session id will be generated, the session cookie will also be updated afterwards.