At the protocol level, there are socket.io sessions, and those sessions can involve a client connecting to zero or more namespaces.
At the client API level, there are sockets. Those sockets have associated query strings and remote namespaces. This is an impedance mismatch that seems to be asking for confusion and/or security bugs.
For example, what does this do?
If there's already a connection to the same server, then it 'connects' that connection to the namespace '/whatever'. The username and password are ignored. If, on the other hand, there is no connection, then the username and password are sent over the wire.
If there was a connection with a different username and password and it hasn't been destroyed, then that username and password is reused.
Using 'force new connection' doesn't help that much. It guarantees that the username and password are sent, but then the functionality of connecting to multiple namespaces gets lost.
(It seems like there's more breakage here, too. If two sockets that share a connection use the same namespace, then they can probably get events meant for each other. Berkeley sockets, for all of its oddities, has an entirely clear notion of what is sent to what, and socket.io might want to emulate this sometime before 1.0.)