I remember session.forget() documented as a performance enhancement - no plans to alter session on this call, do this to save the write. I think this would be the most common use. Adding the response parameter to unlock the session file is only required if there is a need for concurrency in the same session. Normally this would apply to a user using more than one tab/window/browser from the same machine.
I have not explored what happens when you have multiple users behind a NAT box because to the server they would all appear to be using the same IP address. I need to study up on what causes the server to use a new session.
