[eluser]WanWizard[/eluser]
That's why I said the entire session class should be rewritten.
Session ID rotation happens based on information in the cookie. In case of multiple concurrent requests, the original cookie is send. If the first request decides it's time to rotate the ID, so will the second (as it's using the last used date in the cookie, instead of the one from the database, which could have been updated in the meantime.
By default, the session library does an UPDATE for every modification to the session variables. It also writes a Set-Cookie to the HTTP header. If you, like me, uses session variables a lot, you will end up with dozens of queries, and a HTTP header which can easily exceed the page in size. Which will have quite a significant performance impact.
To revert my fix, simply change the default value of the write() parameter from FALSE to TRUE.
