session_set_user mistakingly sets the session user to be a reference to the passed object.
This is a problem when alot of data is attached to the session user object,
as any process holding a list of these users will use more memory each time it changes user.
Refactoring and improvements of the accesslib.php library including prevention of access for not-logged-in users when forcelogin enabled, improved context caching, OOP refactoring of contexts, fixed context loading, deduplication of role definitions in user sessions, installation improvements, decoupling of enrolment checking from capability loading, added detection of deleted and non-existent users in has_capability(), new function accesslib test, auth and enrol upgrade notes.
More details are available in tracker subtasks.