Passport.js session overwritten by new user

A user is authenticated with passport.js. Express-session enables a session. Wherever they go in the site, the passport user is their user name. The session is working. If I open a new browser window and log in with a different account, then in this new browser, the user can traverse the website and the passport user is their name. If I return to the first browser, the first user’s credentials have been replaced with the second user’s credentials. The second user is now logged in and has a session ongoing on both browsers, and the first user has vanished. Has anyone experienced this?

Are you trying to get two accounts linked to the same user? Otherwise, what I did was to have a “loggedin” variable in my Pug templates for my navbar (which has log in buttons) and set that from within my app to false if req.user existed.

Using simple if else statements in Pug, I just removed the login buttons when loggedin variable was true and brought them back if it wasn’t.

My voting app is still not complete, but here’s the pug template for my navbar, where I use this logic: Github repo

The problem was that I was still logged in as the first user, and then I logged in as the second user. It seems silly now. Two different browser windows was not enough. I was kept logged in. I had to use a separate incognito window, or else a different device.