While logged into Confluence and refreshing a page or following a Confluence page link results in an unexpected user login switch as another user, with all associated preferences/privileges of the new user. The behavior is as if your session just "took over" another user, without requiring any password whatsoever.

We have seen this happen to all users, with increasing frequency possibly related to time since Confluence was restarted. At 20 days uptime we see user sessions morph to other users several times a day. The morphing can happen in the midst of an active session (e.g., while editing a page or navigating Confluence) or after being idle for 8-10 hours. It also is independent of various combinations of client OS and browsers: Mac OS X, Linux, MS Windows, Firefox, Safari, Internet Explorer, Camino.

We have yet to determine conditions to reproduce the behavior at will. Perhaps integrating user id in the session cookie might be an effective check against unauthorized access.