[eluser]WanWizard[/eluser]
No, this looks fine to me.
However, I'm still clueless as to how userA can receive the session information of userB. We've established that both users receive a unique session_id, which would indicate that there is no session cookie issue client-side or with the proxy they use.
So do both sessions contain the correct user information (that why I asked to dump the entire session record instead of only the ID)? If yes, then you must have a logic error in your application when processing the session information. If they are wrong, we have to look to how you handle your sessions.