Rails returning session of another user

Running Jruby1.4.0, Rails 2.3.5, Tomcat 5.5, Java 1.6

We are getting reports that when a user logs in they are getting the session of another user. We are unclear how this could happen. One suspicion is a potentially non-threadsafe plugin called acts_as_audited. has anyone encountered this issue before? Any idea how this can happen?