The most likely reason for this is because the expiry time set on the cookie sent to the client exceeds that set for the session in the database. This is not a major problem per se but rather a segment of your user interface and session control which needs to be approached more defensively - That is, your coding approach to this element of your user interface should anticipate the scenario where a session ID provided by a client may be no longer valid.

For example, consider the following mock-up code based on the snippet provided and some of my code that uses Apache::Session:

my %session;
eval {
    tie %session, 'Apache::Session::MySQL', $cookie, {
        ...
    }
}
if ($@) {
    #   error occurred in session information retrieval ?
}

if (exists $session{$cookie}) {

    # ... user session is still valid ...

} else {

    # ... user session no longer valid ...

}
[download]

It may be worthwhile having a look at Essential CGI Security Practices and Securing CGI scripts - In short, code defensively and never trust anything sent from the browser.