Yep ... just like I thought, browsers just don't send a cookie, "thinking" that static files are being requested.
Performance issues? No.
Security issues? Considering that it's an empty session - not a critical issue, but it's a concern.
I'd reconsider at least the URL naming scheme in your case, it's at the root of the problem you're having. That is, of course, unless there's something wrong with your session/cookie settings (check cookie domain name and path).