In the Wiki Ed dashboard OAuth app, I'm adding the ability for the app to update user preferences, setting VisualEditor-related settings to match our training materials and documentation by enabling multi-tab and disabling the welcoming and user education flags.
I got this working locally, but when I deployed to staging, I discovered that is only works for some users. When I try to set the options — action=options&change=visualeditor-editor=visualeditor|visualeditor-hidebetawelcome=1|visualeditor-hideusered=1|visualeditor-tabs=multi-tab, I get options: success back for users Ragesock (which was created in 2007) and Ragesoss (2005), but when I try with users Sage (Wiki Ed) (2014) or Ragetest 14 (2015), I always the badsession error. Other OAuth API actions, such as page edits, work fine for these users; only the options action fails.
I can replicate this locally as well; it always works for Ragesock, but never for Ragetest 14.
(Not sure where exactly this problem comes from, so I tagged a few possible projects.)