[eluser]WanWizard[/eluser]
Yes.
Every "sess_time_to_update" seconds, the session library generates a new session id, and updates both the database record and the session cookie. Session id's are generated at random.
If you have concurrent requests, and the updated timestamp in the session cookie indicates it's time to rotate, the first request rotates from id A to id B, and sents back a cookie to the browser. The second request (which has sent its cookie to the server before the updated cookie was received from the previous request) will attempt to rotate the id as well. But at this time, session id A doesn't exist anymore. So the session library enters a "session not-found" state, and creates a new empty session, and sents that cookie back, overwritting the first cookie that was valid.
Result: you lost your session.
