Users are being logged in as the wrong user

[x9sim9]

Hi We are having a really strange issue with devise for some reason a user is using 1 set of credentials and being randomly logged in as another user. The issue happens intermittently and we have started saving the email address used when logging in and comparing it to the current_user being reported from devise and forcing a logout when this happens.

We don't have a reliable way of recreating the issue, it seems to happen randomly but we have about 20 rollbar error reports so we do have some information, not sure what information to provide

Environment

• Ruby 3.3.5
• Rails 7.1.4.2
• Devise 4.9.4

Current behavior

User is being logged in as the wrong user

Expected behavior

User should be logged in as the correct user

What we have tried

Using database session storage and redis session storage, here is the current config

Rails.application.config.session_store :redis_store,
url: "#{ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/0")}/session",
expire_after: 30.days,
key: Rails.env.production? ? "_new_app_session" : "new_app_session#{Rails.env}",
threadsafe: true,
secure: Rails.env.production?,
same_site: :lax,
httponly: true,
domain: :all