You should be getting far more than a second out of the deal, but you won't get a year by any means without playing with the server configuration (or using database sessions instead of file sessions). At the server end, a session (by default) is a temporary file that will be deleted eventually that corresponds with a session ID assigned to the user. When the user hits the server again, the user's session file is re-opened (or read, destroyed and recreated if you're regenerating). Even if the cookie is still good, when the session file is deleted, the session no longer exists.
Persistent login ("remember me") generally requires a login token cookie that can be used to automatically log the user in without them having to re-enter their credentials. Keeping a persistent session means configuring the server to keep session files for an extended period of time, and that usually means having control of the server (such as with a VPS). Since you don't have that ability with a shared/managed sever, you generally have to use a login token rather than a long-lived session ID.
Again, though, you shouldn't be getting booted during a continuous activity session. The session garbage collection lifetime should be long enough for most activity pauses, and you can always have something on the page ping the server (making a small request) if you're building something that requires long periods of activity on the page that doesn't otherwise require server interaction. I don't know what the session.gc_maxlifetime is on the Free Hosting servers offhand, but the default is usually around 24 minutes (1440 seconds), after which the server essentially has permission to kill the file if it hasn't been read/written. Once that happens, the session no longer exists, and the fact that you still have a valid PHPSESSID cookie doesn't change that.
