Check the timezone set in PHP, the operating system and memcached Timezone differences can cause sessions to prematurely timeout due to differences in the time considered to be now.
Disable browserfinger print settings Occasionally, when a user is accessing the site on a mobile device their IP address can change frequently. If REMOTE_ADDR is included in the browser fingerprint configuration this will lead to their session being prematurely ended.
Session ending before xforms_session_timeout or session_expiry_time length If the session is ending prior to the session length specified in configuration, check that session.gc_maxlifetime has been set to a value greater than the application session length.
User is given a new session id, however their old session is still present on the server As of version 80, Google Chrome has changed how it handles cookies without a SameSite flag in the cookie header. Previously the behaviour was to allow cookies on all domains when SameSite was not set. The new behaviour is to only process the cookie when SameSite=None and the Secure flag is set. We have found that this can cause an intermittant issue where site visitors returning from a payment provider will find themselves logged out of their account. Please see our SameSite cookie configuration changes - April 2020 guidance for details on how to resolve this.