Reported in the Debian BTS as #282565, see
The cookie used to hold authentication information
appears to be the same for all wikis on a given host,
even if the wiki names differ.
This is something of a security issue if you have
multiple wikis on a single host, where the wikis have
different access restrictions, as
you can log in on one wiki where you have access, and
then move over to any other wiki on the same host and
make edits, even if you could not have logged in to
that other wiki.
I have prepared a patch that addresses this issue by
prepending a sanitised version of WIKI_NAME to the auth
cookie name. This patch will be applied to the Debian
packages until it is merged upstream.