Hi,
at de.wikipedia someone who seems reliable (8k edits) claims, that he was identified as a wrong user - he could do everything from this user (he posted a screenshot from the Settings (see http://de.wikipedia.org/wiki/Datei:Alasto2.png).
His username is Marsupilami, the occupied username is Alasto2.
His cookies are correct (see http://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=61039969#Wieso_bin_ich_nicht_mehr_ich.3F at the bottom).
After having a quick look at CentralAuthUser.php it seems to me, that getSession() only looks after the MD5 hash in the Session cookie. So maybe it's unlikly, that two people have the same hash, but I think it would be better to also check the "centralauth_User" cookie. I'm not sure, if I see the code correctly, but there is the problem, that one user can see/do everything for another user.
Version: unspecified
Severity: major