This bug is associated with a feature which prevents submission of forms by offsite javascript. For example, if a hacker wanted a page deleted, they could write some javascript, put it up on their website, then post a link to it on the user talk page of an administrator. The bug involved makes some unknown random event during an ordinary form submission appear essentially identical to this abuse scenario.
-- Tim Starling
So this is what is going on when you get the message "rollback action cancelled to prevent session hijacking"? Always wondered what was going on - if it meant my account might have been compromised (I changed my password after getting that message, just to be safe; always thought I should enquire about what that meant).
Ian