All our users authenticate using their LDAP credentials via RT-Authen-ExternalAuth plugin. I just tried creating a local user, and RT does the right thing when the local user logs in - it sends back a new cookie and removes the old session data. So the problem seems to be with the RT-Authen-ExternalAuth plugin.
We recently upgraded from RT 4.0.4/ExternalAuth 0.9 to RT4.0.10/ExternalAuth0.13. I can't be sure the problem didn't exist before, but I didn't notice it. -- RT training in Amsterdam, March 20-21: http://bestpractical.com/services/training.html Help improve RT by taking our user survey: https://www.surveymonkey.com/s/N23JW9T