Handle session rotation race condition in a different way than the is_ajax_request check that is currently done. That check is still used as a fallback, but this way allows us to handle multiple requests to the server even if they are not ajax requests.
The major drawback is that it requires a new field to be added to the session table.
(same issue as EllisLab#1283)
keep track of old session id to handle race condition
Merge branch 'develop' into fix-session-rotation
This issue is being discussed in #1746. You have an interesting solution, but I think it may not fully solve the problem at hand. I'd love to have your input in the other thread.
Also, the code your request proposes to change just got moved into a driver and slightly rearranged with the merge of #353.
This beats the whole purpose behind regenerating the session ID - pointless. Any fixes for the problem should involve locking, not hacks around already established security measures.