Well, this is odd.
I used firefox’s remote debugger to get a network trace. It turns out that from a regular tab, the POST to /login was sending… no cookies whatsoever. From a private tab, it sent
_t, which seems more reasonable. I guess it’s fair that discourse can’t mark my session as authenticated when the browser isn’t sending the session cookie! But I don’t know why the cookie wouldn’t be sent.
That does make it seem plausible that something add-on related was messing with things…
So, I tried disabling all my add-ons, and then switched back to the discourse tab to try reloading. But… this is weird, and maybe my memory is messing with me, but when I switched back to that tab, I was now logged in, even before reloading. So I re-enabled all my extensions again… and I’m still logged in. I’m back to my original configuration, but the problem has mysteriously vanished.
That’s scheduled for Firefox 67, which is still in beta – I’m on Firefox 66, which still runs extensions in private browsing windows. So that’s another thing that’s mysterious about this… even if it was an extension that was somehow messing with things, why did private browsing make a difference?
For the record in case anyone else hits something like this in the future, the add-ons I have enabled are: Ghostery, HTTPS Everywhere, Privacy Badger, uBlock Origin. In theory Privacy Badger can eat cookies (that’s kind of what it’s for :-)), but I checked its settings and it says it wasn’t doing anything to those domains. If it happens again I’m going to look real suspiciously at Ghostery.