If you set the security level in a cake application to high, an algorithmus regenerates the SessionID.

Usually, this is not a bad idea. But as sometimes several requests are started simoultaniously, I discovered that random requests didn't get a proper user-id in the session and further found out that during AJAX-Requests requests the sessioncookie got deleted and in the same request a new one was set. As a result, a few AJAX-Requests failed due to an invalid session id.

After reducing the security to medium, the errors were gone.

It seems that this is a known issue to the developers (https://trac.cakephp.org/changeset/5982) and should have been fixed for over two years. As far as I can tell from the current source, SessionIDs are regenerated each tenth request - even if a XML-HTTP-Request was made. Due to race conditions this will make many developers headaches and is a bug that should be fixed.