So previously we'd decided to deprecate and end support for our session package in favor of consuming code from the PHP community, but there have been a few suggestions along the way that implies there should be a session package in our framework (or support for one built right into the application classes). So, I'd say now's a good time to revisit that choice and decide whether the package should be kept or stick with plans to end support.
If the package is kept, I think we need to consider a full rewrite of at least the base session object and some refactoring of our handler objects. This would be a package bumped to a PHP 5.4 minimum and start using PHP's SessionHandlerInterface and our handlers cleaned up to comply with this. The actual Session class I'd say needs its API cleaned up a fair bit for testability and ensuring it is usable.
The PHP version bump could potentially start a "domino effect" here. If we keep the dependency in the Application package for example, then that package must bump to PHP 5.4 also, and any packages dependent on the Application package (IIRC that's our OAuth code), etcetera etcetera.