Unexpected shared session across different devices with realm authentication


I’m encountering an unexpected behavior with MongoDB Realm as the authentication provider for my application. Here’s the issue I’m facing:

I have set up two separate environments for testing authentication: one on a mobile phone browser and the other on a laptop browser, both initially in logout mode.

Here’s what happens:

  1. I log in from the phone browser with User X.
  2. Without logging in again, I simply refresh the laptop browser, and it shows that I am logged in as User X.
  3. When I attempt to log out from the laptop browser and then refresh the phone browser, it logs out User X automatically.

It appears that the session state is shared across both devices. I am not using any explicit cross-device synchronization for the session state, and I expected the sessions to be isolated to each device/browser.

Could anyone provide insights into why this shared session behavior is occurring, and how I can ensure that sessions remain separate for each device?

Thank you in advance for your assistance!

Hi, this is definitely surprising behaviour. Is it possible that you are using a browser or extension that synchronizes cookies / local storage across devices?

Session information is localized to the cookies / local storage on the device, but it does seem that some browsers are capable of synchronizing this information across devices when signed into the same account.


1 Like

@Tyler_Kaye Thanks a lot for your response

i don’t think so, because I made the test on a completely separated environment

Here’s an example of the auth implementation with realm-web on GitHub::

and you can see the live behavior here:


realm-web: 2.0.0


Hello @work_state! It looks like you’re doing your login on the server side of your application in routes/login/+page.server.js which means you aren’t logging in the browser, but the entire node backend of your application (svelte will spin up a node server to server side render the parts of your application that are in *.server.* files). All svelte files with server in the name are run on a backing node server, not in the browser.

This means that any subsequent users navigating to the site will then hit the backend of your application which is already logged in. You’ll want to move your login/user management logic into the <script> tag in +page.svelte so that the session state is saved in the browser rather than on the backend of your application

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.