Auth0 does not create a session if one already exists

  • Which SDK this is regarding: e.g. auth0-react
  • SDK Version: e.g. 1.9.0

We’ve come up with an interesting flow that I’m not sure what the expectations are. Essentially this boils down to user A being logged into our app and then user B logging in via alternate means, but on the same computer. The Auth0 SDK for react leaves the original user logged in.

More accurately:

  • User A logs in with chrome
  • User B uses our sign up form in Firefox on the same PC
  • New User B gets a password reset/verification email and opens it in chrome
  • User B completes the password reset process (now in chrome on the same PC) and is redirected back to our app by Auth0
  • Our app calls getTokenSilently but recieves the cached token for User A

Should Auth0 be clearing out the session of the original user? Or is this a weird edge case?

We stumbled upon this while testing out a custom signup+password reset flow we put in place using password reset tickets.

Hi @mhull,

Welcome to the Auth0 Community!

I would say this is a weird edge case. IIRC, completing a password reset doesn’t create a new session, so this would be expected in the flow you described. The user would still have to log in after resetting their password if there wasn’t an existing session.

Additionally, I haven’t seen this come up as a common problem.