important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Delete tokens of unused token transfer methods during createNewSession
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-11-24
Context and Problem Statement#
In some cases, createNewSession can be called while there is an active session. Normally this would overwrite the old session, but there could be tokens present in other token transfer methods. E.g.:
- The request has an access token attached as header
- createNewSession is called
- getTokenTransferMethod returns cookies (for example because of a user override)
- We would are overwriting cookies, but that leaves tokens in storage associated with headers
Considered Options#
- Do not clear
- Clear other token transfer methods - if they have attached anything to the request (even invalid or expired tokens)
Decision Outcome#
Clear other token transfer methods. Reasons:
- We only want the tokens of a single session present in the browser.
- It avoids future issues/confusion by proactively cleaning up and not depending on future refresh calls.
- We will only clear headers/cookies if they were sent to us, avoiding sending the FE unexpected headers.