Signing in when already signed in shouldn't create a new session

I know it's contrived, but if you're already signed in but still call the authClient sign in function, a new session will be created in the database. My expectation is that it would just return an error saying "Already signed in".

Basically it doesn't seem idempotent and neither does sign out.

AAndrei I know it's contrived, but if you're already signed in but still call the authCl...

Ping•6/14/25, 5:33 PM

A new session is created each time a user logs in, as sessions are intentionally designed to be non-reusable. This behavior also serves a security purpose - by associating a session with its creation time, we can measure its freshness. Certain sensitive actions, like deleting an account, require a fresh session, which means the user must re-authenticate even if an existing session is still active.

Ping•6/14/25, 5:34 PM

Over time a session will expire, so those older unused sessions will eventually be removed from DB.

AndreiOP•6/20/25, 1:57 PM

Right but my point is if they're already signed in there's no reason they should be able to create a new session. It would be easy to just check if a cookie currently exists, as I'm currently doing with a wrapper function I made, and then just tell them they're already logged in. This would make it idempotent.

AAndrei Right but my point is if they're already signed in there's no reason they should...

Ping•6/20/25, 2:06 PM

I totally see where you're coming from, your wrapper makes sense in the context of improving UX by avoiding redundant sign-ins.

That said, the behavior you're describing as "non-idempotent" is actually intentional in most secure auth systems. Creating a new session on each sign-in - even if a user is already authenticated - isn't just a technical quirk, it's a design choice rooted in security. Re-authentication provides a fresh session token tied to a precise moment in time, which is essential for enforcing things like session freshness checks on critical actions (e.g. deleting an account or rotating credentials).

Relying solely on the presence of a cookie or session token can be risky - tokens can be stale, compromised, or shared across devices. Forcing a new session ensures we’re not reusing old state, and it provides better auditability and control over session lifecycle (like forced logout on password change, etc.).

Your approach is totally valid in cases where you want to avoid unnecessary friction, but the default behavior here prioritizes security over idempotency by design.

Hope that clarifies the reasoning a bit!

Signing in when already signed in shouldn't create a new session

Similar Threads

Similar Threads

Similar Threads