For JS agent v3 and earlier versions, session_id should not be related to the user session, so you can generate it at any given time. We'll connect to the user with the Fraud API call when you provide both user_id and session_id in the same request.
For JS agent v4, you should be sending the 'session' parameter instead of the session_id, in which there is no longer the callback step, so if integrated properly, it should always deliver perfect device information. You can find more information about the configuration of the JS agent as well as common issues here.