…t would not authenticate it When user comes from a signed request, a cookie with a signature is sent. In the next request, there is no signed request, so the cookie is tried. There was a problem with the code, and this second request would never get the proper user. When generating the signature, the first request and second where using different values.
this client to store auth information instead making us store it in session.