When I log into a wiki (tested enwiki, frwiki) and then log back out, the served HTML from that point onwards (random articles and such) appear correctly with a logged-out header, but a cookie like enwikiSession=XXXXXXXX is left behind. This triggers current Varnish code to assume I'm still logged in, which causes all my pageviews to be uncacheable responses rather than cacheable. I'm not 100% sure whether this is a recent regression - I think it is, but either way this should be fixable...?
I'm not 100% sure whether this is a recent regression - I think it is
It's not. Logging out in MediaWiki clears the UserID and Token cookies and various CentralAuth cookies, but as far as I can tell it has never removed the PHP session cookie.
OWASP ASVS 2.7 (a draft version) had Verify that the session id is changed or cleared on logout; for 3.0 that was changed into the vaguer Verify that all successful authentication and re-authentication generates a new session and session id. Their testing guide says It should be not necessary for the security of the application, but setting session cookies to new values after log out is generally considered as good practice. So I guess no reason not to.
Yep, exactly what @Tgr said. Historically, it was considered best practice to delete or change it, in case you forgot to also disable the session server side. I think everyone now realizes that if you don't disable the session server side, it doesn't matter what you actually send to the client.
That said, if we're disabling the session server-side, we may want to remove it on logout, so users go back to getting the cached versions of pages.