Can't the code that handles the incoming session ID decide whether it's a 'current' session, and if not, assign a new session ID when it re-writes the URL? That would get around the problem that (I think) you've described.

Or maybe I've missed something.