Starting a session for every user is an application anti-pattern. Serving pages to users with sessions cannot be done out of a cache, so creating a session for every visitor inherently makes your application unscalable.
Our plugin provides an admin screen to see how many sessions have been started. You can also examine the headers being sent by your website. If you start a new incognito window and see a "PHPSESS" cookie being sent in response to a request for your site, you have some over-eager sessions code.
@PascalReintjens suggested to use cookies instand of PHP session. Also wordpress only uses "normal" cookies.
Maybe we should replace PHP session by raw cookies?
Source: https://pantheon.io/docs/wordpress-sessions/
Also important are the new laws in Europe & Germany: https://dsgvo-gesetz.de/