This is not really a bug report but rather an esoteric behavior that I hope can help others save the time I spent debugging it.
I am implementing a scalable multi-server deployment of a Yii application (using haproxy as a round-robin load-balancer, no session affinity) and I took all the necessary/recommended steps:
1- Used DB sessions for session sharing;
2- Made sure the runtime folder contents is shared by all servers;
Nevertheless, I could not get authentication to function properly when submitting requests to different servers, although sessions and authentication cookies seemed to be working in the proper way.
So, after careful study of the framework, I found out that Yii stores authentication information in the session record by prefixing it with the application ID. However, this application ID depends on the base location of the application installation.
It turns out that indeed my application was installed in different locations on different servers and the ID was not matching. Therefore there is a third step to the list above:
3- Make sure your app is installed in the same folder throughout all servers.