On MediaWiki 1.27, 1.28 and current master, if in php.ini you have session.auto_start = 1, then users are unable to login. Logging in just keeps creating new session IDs (as we can see in the session cookie).
As a bonus, if we also have session.hash_bits_per_character = 6, on MediaWiki 1.27 (this doesn't happen on 1.28) when opening the site for the first time (or with private browsing) we get:
If we can't prevent this from happening when session.auto_start is enabled, we should emit at least an informative error message on the login page, and of course an error in the installer.
Outcome
Either restore support fore session.auto_start=1 (like before MW 1.28), or document that this is not supported, detect it during the installer, and fail at run-time (e.g. from PHPSessionHandler).