In my situation pages of closed Wikis could be accessed and modified by unauthorised users.
Users who were admin in one wiki got admin-privileges in wikis where they are not even registered.
So the symptoms were rather severe, but it's not really critical,
because the problem occurs only under unusual and rare configurations.
The main preconditions for the session-collisions are:
1) each wiki runs in an apache port-based virtual host
2) each wiki has the same relative path to its vhosts document root ("DOKU_REL")
3) each vhost uses the default (identical) PHP-session.save_path
I'm not sure if this configuration is just unconventional or "wrong",
especially whether separation of save_path is a well known necessity.
(I'm not an experienced webmaster).
Using the same save_path, and the same relative wiki-path for name-based vhosts works,
because (contrary to port-based vhosts) name-based vhosts always have different session-id's.
In other words - the good news:
name-based vhosts always work out-of-the-box.
Even if several wikis share the same save-path.
Even if the corresponding DokuWikis use the same relative path to the document root.
port-based vhosts don't work out-of-the-box:
It's necessary to either:
-) change save_path in apache-config
-) change algorithm for DOKU_COOKIE (in init.php)
-) change algorithm for session-id (don't know where and how).
So there are many ways to solve the problem and I'm happy with my workaround.
Just ignore this, unless you believe other users fall into the same trap.
port-based vhosts have more strange effects:
The session-ids are *sometimes* different: when different aliases are used.
"18.104.22.168:8080" and "22.214.171.124:8081" get the same session-id for different wikis.
"126.96.36.199:8080" and "localhost:8080" get different session-ids for the same wiki.
Looks like the name of the webserver plays a role when session-ids are created
while the portnumber doesn't - no idea where/how this happens ...
I've the impression part of this mess is beyond the scope of DokuWiki,
but rather architectural limitations of PHP/apache ...
So maybe it's easier to just add the following paragraph to the documentation:
"Don't use port-based virtual hosts for multiple DokuWiki instances."
If you're still interested in a deeper look:
I attached details how to reproduce and debug the problem.
German only, apologies, I'll translate it if someone is interested (currently not enough time).
Regards, Markus Widter