this wasn't just a bug with flask-session either, there are even github issues concerning flask-kvsession with the IDENTICAL issue to what was happening here
so you know what? fuck it. back to client side sessions, the ONLY reason they were being used before is captcha anyway. captchas are irrelevant anyway if the site is dead from random users being assigned the sessions of other users.
i've spent way too much fucking time trying to hunt down this fucking bug, all to preserve server-side sessions which were used only for captchas. fuck.
not an ideal solution by any means, but i got tired of trying to hunt down a bug caused by some obscure race condition