Scripts such as authorizeIPN.php and ipn.php in extern call session_start() early in their execution. Since these bypass the regular bootstrap process, the default PHP filesystem storage is used; bypassing any session save handler, such as Drupal's. For us, we don't give PHP write access to the default place sessions are stored, causing PHP notices. If they were saved, they would be lost when a different web server fulfills a request.
Since these are IPN requests, I don't expect that the sessions are used. Ideally, the call to session_save() would be removed. If something indeed expect sessions to work, the proper Drupal or other bootstrapping should happen so sessions are stored normally.