Don't REMOVE-SESSION when a "fake session identifier" is detected.

[frodef]

In SESSION-VERIFY, if the request contains the wrong session-string, the identified session is removed from the acceptor. As is noted in the comment, this means that the true owner of the session will have to re-establish the session (i.e. log in again),

While the most likely cause for the "fake session id" is a changed user-agent (version) or remote IP address, a malicious attacker could very easily remove all the server's sessions by generating easily predictable IDs and passing in fake session strings for each ID. This would be an effective DoS attack requiring almost no effort or resources.

Can the call to REMOVE-SESSION from within SESSION-VERIFY be either removed or at the very least be made into an option?

Also, I'd suggest changing the default value of USE-USER-AGENT-FOR-SESSIONS to NIL, since this can invalidate a session even just by a minor version update to the user agent.