The \core\session\manager::session_exists() phpdocs says that it is not supposed to check the sessions table for existence of sid, but the WS code expects it anyway.

I suppose it should be changed to first verify the db record for session exists and only if yes try to lookup the sid in session backend.

This may be a security issue because the session gc may not always work properly - see MDL-46552