Are you using different authentication schemes in dev and production? This is how app_user is set: APP_USER is the current user running the application. Depending upon your authentication model, the value of the user is set differently. If the application is running using database authentication, then the value of the user is the same as the database pseudo column USER. If the application uses an authentication scheme that requires the user to authenticate, the value of APP_USER is set by the authentication scheme, usually to the user name used during authentication.
Also, make sure that the comparison takes care of case; so it is safer to try (you can try lower or upper):
lower(author) = lower(:app_user)
I think you get different users on your production and dev system, because production is using EPG and dev is using Apache+mod_plsql or APEX Listener to connect your Browser with APEX running in the database. BTW, it would be better if your production system also uses Apache+mod_plsql or APEX Listener, because it's the better for performance.
But about your problem why APP_USER returns one of the above values:
-) Which authentication scheme are you using
-) Is the affected page a public page (Edit Page -> Security -> Authentication = Page is public)?
-) Are you prompted for a user/pwd before you go to this page?
My Blog: http://www.inside-oracle-apex.com
APEX Plug-Ins: http://apex.oracle.com/plugins