"Session expired or invalid" problem calling an @RestResource from Apex in Winter '15 preview; UserInfo.getSession returns null for Force.com Sites

Support have come back with:

confirmed with R&D that this is not a BUG rather a security update that is introduced in Winter'15 release

and advise:

affected customers will need to adjust their integration's to not rely on a guest session ID

Salesforce backed out this across-the-board change and made it a versioned changed. API Version 31 and earlier will continue to return the session ID from UserInfo.getSessionId() when in the Sites guest user context. Your VF Page and Apex Controller must be Version 31 or earlier.

The patch hit the Winter '15 sandboxes last night (Sept 30) and will hit the only production instance (NA1) currently running Winter '15 tonight and will be included with the rest of the pod upgrades on Oct 3rd and Oct 17.

(This is not documented publicly as a Known Issue nor included in the Release Notes)