Comment 7 for bug 1446036

On further research, it looks like directly manipulating the session through SessionHandler isn't going to work. If you're using the default session handler it causes a fatal error. If you're using a custom session handler, like memcached, then it doesn't throw a fatal error, but it doesn't seem to work as expected.

So we can ignore all the stuff in the preceding comment. We probably should raise our minimum supported PHP version to 5.4, but not because of this.

What I've done instead, is after each time we call session_start(), I call a method that uses headers_list() and header_remove() to eliminate the duplicate session cookies.

The behavior of PHP in this regard is a bit buggy. When there are duplicate session cookies that are going to be sent out, it still only shows one copy of the session cookie when you call headers_list(). However, doing "header_remove('Set-Cookie')" will remove all of the session cookie headers (as well as all the other cookies). So what I do is use headers_list() to get a list of all the unique cookies, do header_remove('Set-Cookie'), and then use header() to add each cookie header back.