I run my server with session.auto_start at on, which causes a problem due to the way the Zend Session Object is done.
I would suggest a htaccess with the following rule:
At any rate, this .htaccess coule eventually be used for url routing purposes, for clean urls.
we should not rely on .htaccess for application level logic;
what exactly is the problem you mention? please post steps to reproduce.
I believe mt's configuration would have been an issue even before #828 because Zend_Auth depended on Zend_Session indirectly.
session.auto_start is off in a default PHP configuration.
It's specifically wrong for it to be "on" for Zend Framework apps (http://framework.zend.com/manual/en/zend.session.advanced_usage.html) because it causes an E_NOTICE to be thrown when Zend_Session::start() is called (either directly or by Zend_Session_Namespace).
We can't guard against this programmatically, e.g.,
<a class='mention' href='https://github.com/ini_set'>@ini_set</a>('session.auto_start', 0);
because the session has already been started by the time the PHP executes.
We should document this as a system requirement rather than adding the .htaccess rule. (In fact, we should probably remove piwik/.htaccess from the build so that it doesn't overwrite the user's configuration.)