On our ExpressJS application, when pushed to production server, the passport session gets mixed up at random times. At random, the page can load the view of another user even when I did not log out of my session. Without doing anything else, another refresh will bring me back to my own account (at random too).

This phenomenon is happening to two of our web applications coded by two separate users following the Passport guides on their website. Both web apps use Facebook connect/API.

This happens on both Redis and File session stores. I saw a post about using global variables: we are sure we use local scope only.

Is there something that we are doing wrong?

Update v1

On one app, we implemented the following for the serialize/deserialize for Passport:

passport.serializeUser(function(user, done) {
    done(null, user);
});

passport.deserializeUser(function(obj, done) {
    done(null, obj);
});

The other, we have also tried:

passport.serializeUser(function (user, done) {
  done(null, user);
});

passport.deserializeUser(function(user, done) {
  User
    .where({id: user.id})
    .fetch()
    .then(function (user) {
      done(null, user);
    }, function (err) {
      done(err, user);
    });
});

Either way, the app stills have its session mixed up.

Update v2 This error only happens when multiple users are logged in to the server and are using concurrently. It does not occur when only 1 person is using the system.

Update v3 It seems that the problem might be caused by Amazon AWS since some of the "wrong user" page requests are not reaching the NodeJS app at all (verified by console.log).

The problem seems to be caching caused by ExpressJS, not PassportJS session.

We found out that ExpressJS sets the setting view cache to true when in production. By using app.disable('view cache'); in app.js, we disabled cache and seems to have solved the problem.