A configuration problem on one of our servers (the xwiki.org farm) causes the same session ID to be reused for new clients, while the session is not invalidated. This causes a new client to take over an existing session, which means that it now has a valid Principal object in the session.
XWIKI-3013, this session Principal is enough to consider the user authenticated. XWIKI-3342 improves the security by checking the cookies also, and invalidating the login if the user stored in the cookies does not match the session user. However, XWIKI-3342 is incomplete, since it fails to clear the session if no authentication cookies were present to start with.