In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsession_cookie sessions since the expiry time is loaded when the session is decoded.