A "marker cookie" is a tiny, readable-before-session flag whose only job is to decide whether to start a server-side session at all. PHP normally has to start a session before it can know if one is needed — and starting a session emits Set-Cookie plus no-cache headers, which makes the response uncacheable. By keeping a separate plain cookie (just a presence flag, with no auth value stored in it), the app can check "is this maybe-logged-in visitor worth a session?" before touching session machinery. Anonymous visitors carry no marker → no session → fully cacheable pages. The actual login state stays entirely server-side in $_SESSION.
In Lamb (bootstrap.php), should_start_session() returns true only if lamb_logged_in or LAMBSESSID is present. The marker holds a random UUID that's stored nowhere server-side — losing it doesn't log you out (server session still has you), and having it doesn't keep you logged in (an expired session yields an empty $_SESSION). It's a performance/caching gate, not authentication.
should_start_session() and the one call site that uses its result. Confirm an anonymous request never reaches session_start().
Done when: you can name the file/line where the decision is made and what happens on each branch.curl -I and check there's no Set-Cookie and no no-store; then with the marker cookie present, confirm both appear.
Done when: you have two curl -I outputs side by side showing the header difference.