when running concourse web --help

it returns

          --tsa-session-signing-key=                                    Path to private key to use when signing tokens in reqests to the ATC during registration. [$CONCOURSE_TSA_SESSION_SIGNING_KEY]

so then session_sign_key is configured by CONCOURSE_TSA_SESSION_SIGNING_KEY

but actually its CONCOURSE_SESSION_SIGNING_KEY

I guess, naming wise CONCOURSE_TSA_SESSION_SIGNING_KEY should be right