Like every bug, I did it to myself.

I was having difficulty figuring out why, after visiting a certain page on my development subdomain’s site, my session logged out. There wasn’t any code to do this… it’s cookie based… the cookie is there, but seems to change value, as if the session is being deleted. Finally, I notice that there’s a cookie for my production subdomain that uses the same name… and they both apply to the same domain. This means that if I were to try going back and forth between domains and hit a page that sets this cookie, my session is unrecognized by the other subdomain. But I haven’t been going back and forth… ahh, but I DO include an object on that page, and upon examination, the code that provides it is hard-coded to my production site. So I was surreptitiously loading content from my production site, which set the cookie, which conflicts with my dev session cookie because they’re both whole-domain cookies.

Changing the object code to apply only the current call’s subdomain cleared up the problem.