A user logs in before, but for some reason the session times out.
The user is using Chrome(version 28 which has previews to the website, when opening a new tab)
The user try to open a new tab in Chrome and quickly type the fisheye home address and hit enter
The user should have no problem logging in because there is a remember me cookie set already from the last login.
The user is forced to log in again.
The preview feature from chrome's new tab page tries to load a thumbnail from fisheye which trigger a request to Fisheye with the remember me cookie. This request comes along with the user's request and they cause a racing condition.
If the chrome's request comes first, the backend will generate a new RND number for the the remember me cookie. However, the user's real request comes to the backend with the old cookie number. That will result in a mismatch.
The problem may not only happens in chrome, but in any situation where there are two requests triggered simultaneously after session timeout or expired.