I'm not sure about the race condition. CGI::Session
checks each request for a returned cookie. If there isn't one it allocates a unique session id and its own file (if you're using that option). The response contains a cookie with the id.
I'm thinking that you could get a race condition only if the same cookie came in at the same time (with, say, a different query string). I'm not sure how likely that would be and anyway a lot rarer than the OP is experiencing.
I'd be intrested to find out if I'm wrong. I'd have a lot of code to rewrite. :-)