Hi everyone,
I’m encountering an issue with Auth0’s bearer tokens, specifically regarding the sid (session ID) claim.
Here’s what happened:
- I was logged in as User A, and their session eventually expired.
- Afterwards, I logged in as User B.
- I noticed that the new bearer token for User B contained the same
sid value that was previously issued to User A.
Is this expected behavior? Shouldn’t the sid be unique per user session?
Could this be a misconfiguration on my end, or is it potentially a bug within Auth0?
Any insights or experiences with similar behavior would be greatly appreciated. Thanks in advance!
Hi @Titorr2001, and thank you for your question!
This is the expected behavior and not a misconfiguration or a bug.
The sid (Session ID) claim in the token does not identify the user’s session, but rather the browser’s session with the Auth0 authentication server.
When User B logs in from the same browser, the browser sends the existing session cookie along with the login request. Auth0’s session layer detects this existing session, validates it, and then re-associates it with User B’s new authentication event.
Because the underlying browser session is being reused, the sid remains the same. However, the most important claim for identifying the user, the sub (subject) claim, will have correctly changed to reflect User B’s unique ID.
I hope this helps you!
Sincerely,
Teodor.