posted 17 years ago
Are you doing any kind of SSO?
I've seen situations like this. The general scenario was in a "lab" setting. User A logs off of the master app, but does not get logged out of the subapp. Then User B logs in to the Master app with the same browser session. This lets User B get the same session that User A had in the sub app... which has a valid user in it's session and does not run the SSO re-authentication. So, main app is user B but secondary app is user A.
[originally posted on jforum.net by monroe]