We have a web appliaction where we are nonintoxicating users in a log in form, after log in, we are keeping the user info ( user info, user id, ...) in a session state, now under pressure, sometimes and very rarely we get from clients that they are logging in with their user name, but after login they found themselves with some boy else's name, and reading their data, as if they are reading other user's session. Could this be the issue?
The only way I could see that happening is if they somehow shared the same session ID, which would probably only happen if you're managing session state in SQL server. If you're using standard InProc session state, that would be highly unlikely.