The session handling code in app/webroot./auth/{login,logout/index.php uses $_SESSION to create and update the PHP session. This works with any session handler that ships as a compiled PHP module but precludes using CakePHP framework session handling configuration changes such as database sessions, or Cake framework session plugins.

 

I have a 1:1 replacement for the $_SESSION usage in both of those files that loads and calls the framework's configuration and session handling logic. The PR will reference this Jira issue.