Did you see my post last night of what I think your issue is?
When the app is reloading all settings on every request, it is most likely re-creating all singleton objects on every request, which means that data accidentally stored in your singleton objects is washed clean at the end of each request. That means that on dev each user is getting their actual username and pass used to load their user object instead of re-using accidentally persisted data.
ColdBox Platform Evangelist
Ortus Solutions, Corp