We are using the default form login for our website. The roleManager is set on MultiplexingRoleProvider with SqlServerRoleProvider mapped on the ActiveDirectoryMembershipProvider. The membership provider is the ActiveDirectoryMembershipProvider. Everything works fine - most of the time.
But occasionally something very weird happens. A different user is already logged in when someone calls the website. The username appears on the page and is marked as logged in. Additionally all the users private data is visible to the visitor.

Have someone a clue about what happens here? Any hints to solve that problem? That would be great. Thankx.

additional notes:
- form login is using requireSSL="true" and timeout="129600"
- <sessionState cookieless="UseCookies" cookieName="EPiServer" mode="InProc" ...
- The website is running in https mode
- clearing the application pool manually helps