How do two ASP.NET_SessionId cookies appear unexpectedly in a cookie list?

I have a (very) intermittent problem in the production system, in which the user sometimes gets a message about the session timeout when navigating from one page to another (the timeout is set to 20 minutes in the web.config file, but this happens between requests for 30 seconds).

I managed to get the Fiddler session of one of these timeouts and found that the request that caused the timeout had two ASP.NET cookie headers in the header. I suspect ASP.NET is collecting a new session identifier and considers this to be a new session.

Here is the last query that was fine:

POST https://************/****/****/GetBenefits HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-au
Referer: https://********/****/****/****/eabacef3-3fc1-4c7a-a2f9-6b13294cae0d
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ********
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=234635549.1047786296.1290759252.1290759252.1291100928.2; __utmz=234635549.1291100928.2.2.utmcsr=localhost:1600|utmccn=(referral)|utmcmd=referral|utmcct=/X/****/****/****/a4ae2246-5b3c-42a9-8c43-b6f24f1838d5; SIVISITOR=MC4xMTAuMjA0ODY3NjQ1NDAwODIuMTI5MDc1OTI1MTgxMw__*; ASP.NET_SessionId=l0tsk4jwbp1v51mu3f3e4o55; __RequestVerificationToken_Lw__=JqfrynFIDnS1wc6aFWqP5WVsahQDipJzgrD/iFFfAZBUjbJX/EDrXokuyBzvNkArAjD1UBU6cKFitP1T0gI9RLUU8MIIemT2wkf0PNJhiA5dNZMNRf7PhlRpDf0zN8QCHGbd3w==

<content removed>

This contains one session entry: ASP.NET_SessionId = l0tsk4jwbp1v51mu3f3e4o55;

The message that returns the session timeout is as follows:

POST https://********/****/****/UpdateProductCosts HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-au
Referer: https://********/****/****/****/eabacef3-3fc1-4c7a-a2f9-6b13294cae0d
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ********
Content-Length: 351
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=234635549.1047786296.1290759252.1291100928.1291267008.3; __utmz=234635549.1291100928.2.2.utmcsr=localhost:1600|utmccn=(referral)|utmcmd=referral|utmcct=/X/****/****/****/a4ae2246-5b3c-42a9-8c43-b6f24f1838d5; SIVISITOR=MC4xMTAuMjA0ODY3NjQ1NDAwODIuMTI5MDc1OTI1MTgxMw__*; ASP.NET_SessionId=0tluyjvt4dgroov05xqalg55; __utmb=234635549.1.10.1291267008; __utmc=234635549; ASP.NET_SessionId=l0tsk4jwbp1v51mu3f3e4o55; __RequestVerificationToken_Lw__=JqfrynFIDnS1wc6aFWqP5WVsahQDipJzgrD/iFFfAZBUjbJX/EDrXokuyBzvNkArAjD1UBU6cKFitP1T0gI9RLUU8MIIemT2wkf0PNJhiA5dNZMNRf7PhlRpDf0zN8QCHGbd3w==

<content removed>

: ASP.NET_SessionId = 0tluyjvt4dgroov05xqalg55; ASP.NET_SessionId = l0tsk4jwbp1v51mu3f3e4o55;

.

, , - , . ?

-, ASP.NET MVC 1.0.

!

Cheers, .