By default session data are stored in files. The implementation is locking a file from opening a session to the point it's closed either by session_write_close() or at the end of request. While session file is locked all other requests which are trying to use the same session are blocked i.e. waiting for the initial request to release session file. This is fine for development and probably small projects. But when it comes to handling massive concurrent requests, it is better to use more sophisticated storage, such as database.