BrowserUK, there’s a marvelous little box at the upper right-hand corner of the screen called, “Log In.” The gods have not yet reported that this feature is not in operation.
Nevertheless, what we have before us here is a documented swap of one user’s identity for another ... and we’d better help find that explanation for what is a total compromise of some Dancer-based site. Let (s)he who has a credible theory as to why this code is flawed, and how to reliably fix it, please step-forth as everything else is off-topic. Cowering behind Anonymous Monk to snipe at someone-else, without clearly articulating what is wrong and why you think so, is also irrelevant to the topic of figuring out what has gone wrong here and why.
Q: What has gone wrong here, and why is it hard-to-reproduce, and why does it occur in this production environment at all?