A Rails 2.3.9 app with Active Record or Memcache session store will never send the session ID cookie to a client if the client doesn’t send any HTTP cookies in its requests. Rails integration tests didn’t catch this because they always send the HTTP_COOKIE header, even if it’s empty.
This is a huge bug, as it can break keeping sessions on sites which don’t set any additional cookies for its visitors. Visitors without existing cookies will not be able to log in, for example (this is how I discovered the bug).
An unobtrusive monkeypatch for existing apps can also be found on the ticket.