Sysop aripoll reported inability to log into webv4. BBS is running on "Linux Debian 11 on a raspi 4, 32 bits".
Tracked problem down to session key, which had "undefined" tacked on some hundreds of times, exceeding the max cookie size (I suspect) and mismatching the key between client and server. Each instance of "undefined" should've been a character randomly selected from an array of strings, but was not. Some invalid index was being used to access the array of strings, I don't know what. This seemed to begin after eight iterations, don't know if that was consistent.
I suspect we were running afoul of some platform-specific JS optimization or bug. Made an educated guess and introduced a case where the random number might (but never actually would) be logged; seems to have resolved the problem.