Users are making logon with session of other users!

We've never heard of or seen an issue like that. The login functionality of JFBConnect absolutely takes into account user sessions, the user's FB id, and makes sure it correlates with the associated user's Joomla id in multiple ways.

Obviously, that would be a huge security problem, but I'm unsure of where to even begin understanding that it's happening. Can you help us to understand:
* Do you have any caching enabled on the site, or anything else that may cause one session to look like another?
* Can you check the user manager to see if the user that is logged in as someone has the correct account also logged in?
* What JFBConnect profile plugins are enabled?
* What other user management extensions do you have installed (JomSocial, CB, etc)
* What other User plugins are enabled (that's what sets a lot of info about the user in the session)
* Are you 100% sure the users that are cross-logged in are using Facebook to log in?
* Can you check the JFBConnect User Map to ensure that the admin user account is associated with the correct FB user (or no user at all)?

We'll gladly help diagnose this however we can. JFBConnect is used on tens-of-thousands of sites though. If this were a widespread issue, there's no doubt others would have found it though, so it definitely seems local to your site somehow.. we just need to figure out how.

APC could actually be the problem. Depending on how it's configured, it may be caching some of the code of JFBConnect in a way that user (a) logs into your site.. the login flow is cached with that user. Then, when user (b) logs in, the flow from (a) is used.

APC generally works well, but there are issues like that that can happen. We use eAccelerator on this site. Not saying it's better, but we tested for weeks under a ton of different scenarios to make sure the caching didn't mix information.

Beyond that, I'd recommend trying to disable the Invitex and JComments user plugins for now. I can't imagine they are the problem, but during login, each User Plugin is fired off and can change the session information. If one of those has a bug, that could be the problem.

If the user's aren't in the JFBConnect User Map table, I can't imagine any scenario in which JFBConnect would connect them to the wrong account. You don't have multiple databases running or backup tables somehow remaining in your database, do you?

Finally, you may be right that the problem is with the sessions table. However, the sessions table is 100% managed by Joomla. If your site is having issues with the session table where data is getting used by the wrong user, that's either a server configuration (APC, etc) or a major bug in Joomla. Just to clarify though, when you restart apache, if you clear the session table, the issue completely goes away? The sessions are related to a cookie stored on a user's computer. Even restarting apache shouldn't alter the cookie or corresponding value in the session table, so I'm not sure how restarting apache would affect that.. but it's a good data point, if I understand right.

Thanks,
Alex

I honestly wouldn't expect clearing the tables to fix everything. Something's obviously wrong, just not sure where it is. I hope you also understand that if this were a widespread issue, we'd definitely hear a lot more about it. Not sure what's different about your Joomla, site, or server config, but it seems unique to you. Hopefully we can get to the bottom of it!

Thanks,
Alex