Recently, we got hit by a viral article which brought our servers to their knees.
In theory, this shouldn't happen because we have Varnish cache between the content servers and the public. We've had this happen in the past and Varnish has performed flawlessly. However, it now appears that every page request is being punted to the content backends.
I'm still digging into it, however one thing that stands out is the presence of a PHPSESSID cookie where there never used to be, and the presence of any cookies (by default) is a cache-killer for Varnish.
A test shows that a simple PHP script does not set this cookie (and is cached properly) and a bit of googling suggests that it is set by the PHP session_start() call. Grepping through all the PHP on our WPMS instance shows this call only in Membership 2 Pro, Appointments+ and Directory (all of which are WPMU plugins).
We can discard (for now) Appointments and Directory because they're only active on a few sites, but M2P is network activated in network protection mode (and only since around June), so it's a fair bet that this is where this cookie is coming from.
How important are PHP sessions to M2P? We really only care about M2P for logged in users, so one possibility is to look for the wordpress_logged_in cookie and discard PHPSESSID only if it is not present.
Can M2P devs advise on the significance of/need for PHP sessions in M2P, and also please note that the way M2P is structured clobbers many Varnish installs (and will produce unpredictable results on others, depending on how Varnish is configured to treat WP cookies)?