Sessions are leaking once in a while in my web application when running with PHP PM. I see that HttpKernel closes the session after a response, but still some users have unwillingly been taking over sessions of other users. I see in my logs that a particular IP suddenly has become another user that was active at that time.

A better look at the code shows that if the application raises an exception there's no session cleaning in the catch handler of HttpKernel::handle() - only if there's a response without exception.
I guess that is the issue here.

@andig This one can be closed now