It was reported that multiple meta.wikimedia.org users received the same session ID. These users could act as the user who happened to be logged in according to the session value. It seems that Varnish may have cached some responses with Set-Cookie headers.
Clearing the session store and avoiding the Varnish cache by switching from Varnish to Squid did not rectify the situation. The session value which was the subject of the report was immediately recreated with the same username. My best theory on the cause of this is that the session was recreated by User::loadFromSession() due to a persistent token cookie.
Although we have no more reports, it's likely that more than one session ID was affected. So, to force regeneration of all session IDs, I am proposing to change the name of the session cookie.
Version: unspecified
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=57906