How would that help here? They would just exchange one piece immutable data (un-signed in user cookie) with another piece of wrong immutable data (someone else’s session).
"While the immediate risk has been mitigated, we worked with the maintainer of Unicorn to upstream the change to make new requests allocate their own environment hashes. If Unicorn uses new hashes for each environment, it removes the possibility of one request mistakenly getting a hold of an object that can affect the next request."
