Setting $wgCookieExpiration = 0 does not, as documented, make all cookies in-session. Rather, it makes all cookies expire 0 second from the server time. This usually does not cause an issue because MediaWiki will load the user from the session instead, but it causes issues with any extensions that use cookies (specifically Extension:SecureSessions). Will have a patch to fix this in Gerrit soon. Maybe this should be backported?
Version: 1.22.0
Severity: normal