That test actually does do what I would expect to find the bug if it were there. So, nice find. The report here, however, is from rare cases of swapping so it might be a highly intermittent problem that's hard to trigger or requires a fatal at a different point in the request cycle or one related to a specific server implementation. I provided an example not too long ago of a naïve test that would appear to be right but miss intermittent bugs: Re: why Test::More?. That session stealing test ought to be run in parallel with 10 agents, stutter-timed, for hundreds of requests to feel "bomb-proof" to me because that's closer to what can happen in the wild.

My point was it's not a good idea to have a persistent/cache without having it initialized in a known state at the top of all request cycles, as the other two persistent/cache $VARS wisely are.