No, no, no, no, no.

That delete code HAS to be there because of the extra metadata stored as part of the session, i.e. the bad design decision I've been groaning about all over this tracker. In truth, that query could be disabled in full if $handler == 'database' and left to the session API's garbage collection processing.

Step two. The checkSession() method should only manipulate the time column when $handler != 'database'. The time should ONLY be manipulated by the session API when the database is the session data store; outside manipulation of it (such as in the referenced method) is as good as invalidating an entire session's record to me.

Maybe the second item fixes the problem you're running into. But what your first PR did is anything but valid and this second PR is adding some random check variable without any real explanation. Point blank, I have used this session API as part of a Framework application and the API itself behaves just fine. It's this damn metadata that is screwing things royally.

Closing as what michael said is 100% true