Nick Jenkins wrote:
I'm not 100% sure why, and it's so rare that it's _extremely_ hard to be sure, but my working theory is that by pure random fluke two session_id strings or two session file names/keys have clashed, resulting in user identity getting confused.
I had that thought too, but Steve already explained why this is not the cause.
In addition, also note that the original posting that started this thread was talking about a block message. Blocks are per IP, not per session token, so this falsifies your theory too.
The original report shows that for some pageviews, the system thinks you're coming from a different IP than you really are.
My theory is that the system (either MediaWiki or the squids) mixes up two simultaneous connections. Two people requesting a page from the same server (or the same squid) at the same time, and both receiving the output that was meant for the other person.
As long as such pageview mix-up is extremely rare, there is next to no chance for anyone to exploit it maliciously, but it *is* possible, and it becomes more possible is this happens more frequently.
By the way, I have reason to believe that PHP makes sure that session tokens are unique when they are assigned.
Timwi