One account can access the other's even if logged out

TL;DR again the specific problem here is associated with the Account Information > Change Email link in Connect, which opens the account info page on www.garmin.com and implicitly logs you in as the current Connect user [if you're not already logged into www.garmin.com].

After clicking Change Email, if you don't explicitly log out of www.garmin.com and you subsequently log into Connect as a different user and click Change Email, you'll be incorrectly logged into www.garmin.com as the first user.

So the actual bug is that the login session for www.garmin.com is inappropriately preserved, but only for the case when you click on Change Email in Connect. This happens even if it seems that you're logged out of www.garmin.com when you manually navigate to that site.

Simple repro procedure (all steps in same browser):

0. Close browser entirely, then open new browser window in incognito mode (to ensure previous session data is cleared)

1. Log into connect.garmin.com as User A and click profile pic > Account Information > Change Email. A new tab opens with www.garmin.com (account info page) as User A (correct)

2. Close the www.garmin.com tab (without logging out). Log out of connect.garmin.com

3. Open www.garmin.com and verify nobody is logged in. Do not log in

4. Log into connect.garmin.com as User B and click Change Email. A new tab opens with www.garmin.com (account info page) as User A (incorrect!)

If step 2 is modified so that user explicitly logs out of www.garmin.com, then the bug does not occur. Also note that it isn't really necessary to close the www.garmin.com tab in step 2, but a normal end user is likely to do so.