MongoDbSessionHandler does not perform session locking. When concurrent requests write to the same session, this can cause race conditions and data loss (e.g. "Invalid CSRF token" errors).

The same issue exists for RedisSessionHandler and MemcachedSessionHandler in Symfony (symfony/symfony#4976). The recommended solution for those handlers is to use PHP's native session handler via php.ini, which provides locking natively.

For MongoDB, a similar opt-in locking mechanism should be implemented — either via a constructor option or a dedicated subclass — to allow applications that require session consistency to enable it.