Prevent Credential transfers

Hey Community,

I have two separate VUE router sessions using Database authentication.

I have TWO Separate databases for logins.

On app1: a user uses the default DB, on app2: the user uses the centric DB.

Well, when I have a url on APP 1 that transfers the user to APP2 or vice versa, the session stores.

USER1: Can access both APP1 & APP2, even though they don’t have a credential in both DB’s.

User1 should only be able to access APP1 using the Default DB, but they still can access APP2.

How do I eliminate this?

Hi @rossm,

Welcome to the Auth0 Community!

Firstly, having two databases where there each DB is assigned per Application is the correct approach:

  • User 1 in Default DB and User 2 in Centric DB
  • App 1: Default DB
  • App 2: Centric DB

I believe you already have this part configured. In this configuration, User 1 can only log in to App 1 and cannot log in to App 2. Likewise, User 2 can only log in to App 2 and cannot log in to App 1.

Is this not the behavior you are experiencing? If not, could you please capture your login events in a HAR file and send them to me as a direct message to investigate further?

Next, you mentioned that you have “a URL on App 1 that transfers the user to App2 or vice versa”. Could you please clarify how the user is being transferred and provide the exact steps on how you accomplish this?


I’ve gone ahead and sent the HAR file.

As for the transfer,

A user logs in to the session (it’s hosted via Express and OIDC) and sees a link specified below <% if (locals.isAuthenticated) { %>. The link redirects them to another project/port with a Separate CLIENT ID, that has a separately configured DB that does not share credentials with the prior service. For some reason: it keeps the user signed in with the prior sessions credentials. Once you sign out, the credential no longer works.

Site 1 is hosted at:
Site 2 is:

Found the solution,

seems the application secret was the same for both applications storing the same login for both sessions. I generated a new openssl string and the issue resolved.

TL:DR: If your session stores for two different DB’s use openssl and change the secret for both projects.


Hi @rossm,

Thank you for your updates, and I’m glad you were able to resolve your issue!

Please feel free to reach out again if you have any questions.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.