Andrew Bartlett discovered that awl-doc, DAViCal Andrew"s Web Libraries, did not properly handle session management: this would allow a malicious user to impersonate other sessions or users.