Session renewal (see SessionBackend::renew()) happens when the session store object is near expiry. It doesn't have anything to do with cookie expiration (which in practice is either bound to the browser session, or long enough that it's OK not to renew it) so there is not point emitting cookies, and this is the main source of session cookies being emitted at unpredictable times. We should get rid of it.
|mediawiki/core||master||+32 -12||SessionManager: Allow disabling persisting session metadata on renew|
I was hoping this could be done simply by throwing out the if ( $this->persist ) block from SessionBackend::renew() but unfortunately that doesn't really have any effect; the cookies will still be output due to the dirty metadata flag. Not sure if there's an easy fix for this... maybe just suppress setting cookies when they would make no difference compared to the existing cookies? But then, we'd have to deal with SameSite on top of that. Ugh.