Gerhard,
Thanks, I've reverted that patch. Ok good. I'll bring down 4.7.5 to our test site again and continue to work it over. One of our users reported what sounds like the duplicate cookie sessions problem just last night. I was pleased to see that issue as one of the three you drew attention to
Drupal.org has two IPs, 140.211.166.46 and 140.211.166.61. Good to know. I've got both in there now. I was only ever seeing the .46 one attempt to authenticate me.
I think mod_security is a module that creates a lot of difficult to track down problems... Depending on configuration is breaks forms that contain values that it disapproves of. Completely harmless values. That is a much nicer description than I would have given it. I leave it in because it's one of those things that I don't fully understand, our provider's admin strongly recommends it be on, and I cannot quantify the impact of not having it.
Scott