I'm a newbie to node.js so there's a good chance i'm missing something. ...

[ebaizel]

... but it seems like the loggedIn flag is not on the req object directly but on req.session.auth Please verify this. If you look at line 140 in index.js you'll see that it also uses req.session.auth

[thisissami]

are you using Connect? If so, I think that the new version of connect screwed things up. I've been really frustrated over the past couple days with a similar/same issue (essentially never being able to verify if somebody is logged in or not using any of the described functions). I was so frustrated that I switched to PassPort JS, and now I'm having the same issues there. I think this will work fine with either Express or older versions of Connect, but not entirely sure (since I haven't verified).

[thisissami]

if you're using cluster, that could be the problem. that was the problem for me. to quote somebody on PassportJS:

"Quick reply: are you using cluster or spinning up multiple server instances?

If so, the built-in MemoryStore for the session won't work properly, and you need to switch to something like this:
https://github.com/visionmedia/connect-redis

Or one of the other session stores listed here:
https://github.com/senchalabs/connect/wiki

The reason is that you'll end up hitting a server which didn't serve the original request, and thus doesn't have that session information in its own memory. That sounds like what could be going on if deserializeUser isn't called 100% of the time."