On cached hosts (WP Engine, WP Super Cache, etc.) the session manager must avoid sending a session cookie no cached pages, to make sure a single session cookie isn't being sent to multiple users due to the re-use of the cookie headers from the cache (the cache should strip that out - but I can't verify that they all do).
This work really belongs in the implementing application tier, but some tools could be created that could aid development. For example, an admin area to implement a list of URL patterns to either allow or disallow the session cookies from being set on specific pages (probably you'd want to specify a list of uncached pages, rather than a list of cached pages, since cached pages should be the default catch-all condition).
On cached hosts (WP Engine, WP Super Cache, etc.) the session manager must avoid sending a session cookie no cached pages, to make sure a single session cookie isn't being sent to multiple users due to the re-use of the cookie headers from the cache (the cache should strip that out - but I can't verify that they all do).
This work really belongs in the implementing application tier, but some tools could be created that could aid development. For example, an admin area to implement a list of URL patterns to either allow or disallow the session cookies from being set on specific pages (probably you'd want to specify a list of uncached pages, rather than a list of cached pages, since cached pages should be the default catch-all condition).