Rails returning session of another user

Running Jruby1.4.0, Rails 2.3.5, Tomcat 5.5, Java 1.6

We are getting reports that when a user logs in they are getting the
session
of another user. We are unclear how this could happen. One suspicion
is a
potentially non-threadsafe plugin called acts_as_audited. has anyone
encountered this issue before? Any idea how this can happen?

Thanks
AD