Chaining security context is defective such that where certain security contexts are chained in a certain way, users can log in as arbitrary users through trivial URL manipulation.
Reserved CVE-2014-5059 for this vulnerability.
@apetro – Isn't this ticket finished?
I left it open to remind me to triple-check that this is resolved in `master` , where I wasn't doing testing in the release engineering process, and to take a pass through the not-in-source-control wiki documentation to ensure that the examples there aren't encouraging folks to get back to an insecure configuration. Probably need big fat warnings in the wiki documentation. Here, I'll create a couple subtasks so the remaining things to do aren't just in my head.
task and subtasks done.