Brian,
I haven't seen this problem myself.
I agree that putting it in session state is a good idea, but I wouldn't put an individual user's security context in the cache because it's not fundamentally isolated. It's not good to depend on home-grown source code to keep the users separated (might work good, but seems like a security risk).
Did you see my posting here - is this how you set up your page:
http://p2p.wrox.com/topic.asp?TOPIC_ID=15318
I'm debating going to a simpler model based on Generic Principal instead of a custom Principal. Have you considered this? The Microsoft TimeTracker Starter Kit has a good, and simple, implementation of Generic Principal.
Eric