Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Delete tokens of unused token transfer methods during createNewSession

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-11-24

Context and Problem Statement#

In some cases, createNewSession can be called while there is an active session. Normally this would overwrite the old session, but there could be tokens present in other token transfer methods. E.g.:

  • The request has an access token attached as header
  • createNewSession is called
  • getTokenTransferMethod returns cookies (for example because of a user override)
  • We would are overwriting cookies, but that leaves tokens in storage associated with headers

Considered Options#

  • Do not clear
  • Clear other token transfer methods - if they have attached anything to the request (even invalid or expired tokens)

Decision Outcome#

Clear other token transfer methods. Reasons:

  • We only want the tokens of a single session present in the browser.
  • It avoids future issues/confusion by proactively cleaning up and not depending on future refresh calls.
  • We will only clear headers/cookies if they were sent to us, avoiding sending the FE unexpected headers.