User authenticates to Custom Database (session cookie created)
User is redirected by Action to an external Custom MFA page
In some case MFA is not successfull → the MFA page redirect to Auth0 /continue URL so that Action can verify session token and invalidate it (it works)
The thing is that the last step simply blocks the authentication part using an api.access.deny(), but this doesn’t clear the session cookie. If we try to authenticate again we will skip the login/password page and get directly redirected to MFA pages.