Why do a user need both sessionToken and sessionId for logout?

Original message was deleted

fabienne•8/13/24, 5:35 AM

the session token is not always required

fabienne•8/13/24, 5:35 AM

Mmohit-actualize @fabienne Following up on this to make sure we do not run into issues as we run ...

FFO•8/14/24, 6:00 PM

We store all data in the DB, so each zitadel can check against that storage.

So the answer is yes

fabienne•8/14/24, 6:31 PM

i am actually not sure if i understand what you try to achieve. a session token of a user in one instance, is not known by the other instance, and therefore it will not be valid if you send it to another instance. but maybe i miss interpret what you are asking.

fabienne•8/16/24, 6:10 AM

ok, so yes the token is unique across instances, it does include two ids session id and token id which are encrypted, on the same sytem (across all instances) this should never be the same, if you do have two completaly separat ZITADELs it would theoretically be possible, but in that case something is configured wrong