The way CSession class handles PHP sessions is invalid. Any call for setValue, getValue, etc. starts with the call to session_start (that should be done once for the whole execution) causes PHP to set additional cookie with the same value.
The simplified test-case is:
for($i = 0; $i < 1000; $i++)