A Runtime exception (Failed to start the session because headers have already been sent) is thrown for authenticated users when a flag is clicked or unclicked. The populateFlaggerDefaults function in FlagService creates a session for an anonymous user but when the user is authenticated, it still attempts to create the session hence the exception.
Needs work
4.0
Flag core
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
The patch will have to be re-rolled with new suggestions/changes described in the comments in the issue.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.