As soon as I turn on login via username/password I can't get to the main selfoss page anymore. Turning on DEBUG gives the message that I am logged in but then I it reports the session isn't valid. Looking at the generated cookie, I figured out that the cookie domain is subdomain.domain.com and the path is subdomain.domain.com -- this is obviously wrong. I patched this by hardcoding my domain to subdomain.domain.com and the path to / in Authentication.php like this:

// check for SSL proxy and special cookie options
        if(isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && isset($_SERVER['HTTP_X_FORWARDED_HOST'])
           && ($_SERVER['HTTP_X_FORWARDED_SERVER']===$_SERVER['HTTP_X_FORWARDED_HOST'])) {
            $cookie_path = '/';
            $cookie_domain = 'subdomain.domain.com';
        } else {
            // cookie path is script dir.
            $cookie_path = '/';
            $cookie_domain = 'subdomain.domain.com';
        }

Now authentication works but this is obviously very ugly. I'm running on a Webfaction vserver. I'm guessing the $_SERVER variables are messed up somehow but know to little to know how exactly that is broken and why.