Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

<?php

session_name('COOKIE');
session_set_cookie_params(86400 * 3);
ini_set('session.use_only_cookies', '1');
ini_set('session.gc_maxlifetime', 86400 * 3);

session_start();

if(isset($_SESSION['aa']))
	print("Session already exists.<br>");

else
	print("Session DOES NOT exist.<br>");

$_SESSION['aa'] = true;

You need to set it in the php.ini, if any other script uses sessions and doesn't set it to be the same value it will delete the sessions.

Even if this is the only script that executes on the system (a front-controller in the only application)?

How about the fact that my session-name is 'COOKIE' in this test-script... Wouldn't only everything that uses a session-name of COOKIE interfere with each other, in this case?

It's not that smart, it just looks through the session directory and kills anything that looks like a session file based on the last time the file was read and the currently lifetime value.

If there are zero other scripts on the system then it should be fine, but I suspect there is one somewhere you are missing. Can you add this to the php.ini file and see if you can reproduce it?

We could look to adding the session lifetime to the file but that would break backwards compatibility and you could accidentally set a session to 10 years from now and it would never get removed.

This is just a project, at work, that I've been working on, and this is just all from the perspective of my local system... so, it's very unlikely that any other sessionized web-apps are running without me being able to think of them.

I don't exactly know the format of the session file, but since it deals with serialized information and a predictable data-size, you can presumably put the lifetime information at the end of the file without interfering with backward compatibility..?

I've removed the session name setting and the cookie-parameters call:

ini_set('session.use_only_cookies', '1');
ini_set('session.gc_maxlifetime', 86400 * 3);

session_start();

if(isset($_SESSION['aa']))
	print("Session already exists.<br>");

else
	print("Session DOES NOT exist.<br>");

$_SESSION['aa'] = true;


However, even though the cookie lifetime is 0, the session still disappears. Thoughts/suggestions?

Is this most likely a me-problem, or the extension?

There might be a cronjob removing sessions... Debian based systems do that.