session.cookie_pathdefaults to '/', which is good. But if
session.cookie_pathis the empty string (''), then the cookie path is set relative to the current URL. If the request is to example.com/foo/bar/bax.php and the cookie path is '', then the cookie is set for example.com/foo/bar - not example.com/ as one might expect. But then the browser goes and saves it forever. And you can the same cookie id on multiple paths and then the expire and maybe some get reset during a logout/login cycle.