My first suggestions was to check sess_time_to_update and sess_regenerate_destroy values, it seems possible to set it up so you recreate sessions often but never clear out old ones.
If however session file size is 0, seems more like it's about new sessions, rather than keeping old one's.
Have you checked your site usage? I know we get constantly hit by people scanning for obvious vulnerable files like WordPress related stuff or if known configuration files are exposed - could be possible these get picked up by CI, but as deemed 404, it tries to handle it as new session?