I have an FBA site that uses Sitecore. Every so often, it will confuse one user with another. What I mean is, somehow User A will unintentionally hijack User B’s session. User A will be looking at a page that a) they don’t have permission to view, and that’s b) customized for User B. The one time I was able to reproduce (accidentally) , I got my original session back after I clicked through to another page.
I know Sitecore leverages the Aspnet membership DB, so this might be an issue with that DB, but I really couldn’t guess. It feels more like a session issue than anything else. Also, this is not happening on a cluster, but on a standalone machine.
Anyway, any information – even theories – could help. I don’t think I’ve ever seen anything quite like this before.
I had a similar issue long ago. It turned out that there was a static (shared) method retrieving the user (or session). That was not a Sitecore bug but rather a bad implementation… Not at all sure this is your problem but it might be worth to check that no fields or methods used to access the user are shared.