your login page has a pretty big probelm on it.
you have 3 authenticate user behaviors, one at line 11 - 130, the second at line 132 - 149, those are both fine
but the 3rd one at lines 151 - 168 should be deleted.
the way that one is set is to look up the UserLevel session, and set the UserName session based on the user level.
what that means is that the Userfirst Name session being set wont necessarily match the user that is logged in, it match the first record for the logged in user level.