There is a security issue I am facing which is a bit concerning , I logged in as a user 1 using supertokens auth on one device and logged in as user 2 on another device . But on the device 2 somehow the user 1 gets logged in on refresh where as on device 2 user1 was never logged in . My assumption is that the backend is sending the incorrect token on sign-in/up , could be due to session caching issue on the core . Does anyone have an idea about this ?

Hey. This can happen due to session caching on your api layer side. Please check your cache settings. Usually this happens when you logout and login with different users on the same device (if the caching is not proper). On different devices though, it’s odd.

We are not caching the session on the application layer explicitly .

Not sure. The issue is usually todo with caching. You should check how your framework works