Session Cookie Security

Hi, I am supporting an old Laravel 4.2 app which has been through security testing by a third party, they have an issue with the session cookie in it. With each request the session cookie is sent back, but has a new value each time. When decrypting it, I can see it has three fields, IV, mac and the value itself. Doing some var_dumps etc I can see that each cookie value is relating to the same Session ID, which is what I would expect. The problem the security company has is that I can set the cookie to an old value and it will still work, the old values are not invalidated.

Does anyone have experience of dealing with this and know whether there is actually a risk with this? My thinking is that it is no less secure than storing the same cookie indefinitely. I have tried this with Laravel 5.2 and got the same outcome.

I can't really post any code from the app so hopefully my description is enough for someone to understand.

Thanks for taking the time to read this.