What is the session behaviour if multiple distinct (a.com & b.com) sites use the same session?

supertokens / supertokens-website

Frontend SDK for SuperTokens - for session management + automatically refreshing sessions

https://supertokens.com

Other

54 stars 13 forks source link

Closed rishabhpoddar closed 2 years ago

rishabhpoddar commented 4 years ago

Some example issues:

if a.com is open in one tab, and b.com in another, then synchronising refresh API calls is not possible using cookies nor localstorage...
If a user logs in via a.com, the API domain has cookies set against them. Now if the user logs into b.com, the cookies in the APIs are over written. What happens to a.com's session?
If user logs out of a.com, then b.com might still think that the user is logged in..

rishabhpoddar commented 2 years ago

Using our sessions for this use case is not suitable. You should instead use SSO and have a session each for a.com and b.com