I have an app that is using devise for authentication. Rails 3 on ruby 1.9.2, with passenger on top of nginx.

Here is my problem: I have noticed that occaisionally my sessions are getting crossed. While being logged in as one user, I sometimes become another user. This is really a horrible problem. I have managed to get it to stop by using active_record sessions storage. But I am stumped as to where it could be happening. It happens both when using cookie storage, and memcached storage. I am not sure where to start debugging. I have gone through all of my code, and I am only reading from ‘current_user’ not writing. I don’t have any code storing items in session.

Can anyone give me suggestions as to where, or how this could be happening?

Update:

I setup a div at the top of the page to dump the session contents on each request. It is not just the user switching, it is the whole session. There are some dummy variables that I set in the session just to see what would happen. When the sessions get crossed, (User A becomes User B) User A now sees the dummy variables that User B had. And User B is logged out.

UPDATE 2

I found another question here on stack overflow that describes the same exact problem: In Rails, what could cause a user to have another user's session?

It looks like it could be a passenger issue? But more important, how come it is even happening? This is a REAL big problem. How do I put a stop to this?

UPDATE 3

I am now using Unicorn to serve my app. I set config.threadsafe! and started using active-record sessions exclusively. No more memcached sessions. The problem is gone. At least I can stop pulling my hair out because the security hole is plugged.

I would still like to know what exactly was causing it. Most of the tutorials out there show how to setup passenger, with the default spawning method. Naturally, I would think memcached would perform best for session management over the other methods. Especially in a multiple application server environment.

Update 4

Okay, last and final update. This was an issue with forked processes using the same memcached connection. I fixed it by using dalli memcached client, and reseting the connection in the after_fork callback of either unicorn or passenger.