It seem like it's a bug which spread through more than a ddos.
Restarting the backend of an instance should fix the problem otherwise web users could try clearing the cookies
@C3D