The problem was difficult to track down because it tended to disappear for a while and then come back.
The code in question eventually turned out to be 204 responses from some of the Ajax requests. Rather than initialise these each time it was saved in a global variable. However, it was possible somewhere in the authentication middleware for a session token to be attached to the stored response.
I only really found it by tallying the places where it seemed to happen most often with some curl scripts which hit one of those end points and waiting for the session to be set in the response.