Hi @iamdtang
Thanks for contacting us at Auth0 Community.
I’ll go through how this works at a high level. As soon as the user (through the browser) starts interacting with the Auth0 domain (e.g., the first /authorize request), a “session” is created. The session basically ties the browser to some state stored on the Auth0 server side. This session is tied to the auth0 cookie on the client side and the browser will store that cookie. The content of the auth0 cookie is a reference to the session stored server-side. Every subsequent request from the browser to the Auth0 domain will include that auth0 cookie. This means that as long as the user uses the same browser, Auth0 will keep track of the user. The cookie have will not have your information but a pointer to the server side session which does have your information.
I hope this clarifies your question, you can read more about session and they relate in SPA’s here https://auth0.com/docs/users/sessions
Incognito mode can cause the cookie not to be sent in the request, I think these will be the third party cookie settings in the browser, you should be able to disable this in the browser settings.