It happens on a local environment (an Angular application using ‘auth0-spa-js’ running on localhost).
Basically I have been logging in and out of the application multiple times using different user accounts (just as part of dev process) and eventually I got that error.
It appears it happened after 19 times because the same string appears 19 times inside the Cookie header:
Thanks @thomas.osborn, that is how I solved it when it happened. My question is more if there is a way to prevent it from happening? Especially to a real user?
I think it is very unlikely to happen. Those cookies should expire after 24 hours, so unless 18+ users login from the same browser, all within a 24 hour period, it shouldn’t happen.