It is recommended to reset the session at sign in for protect from session fixation attacks. So reseted session in Passwordless::ControllerHelpers#sign_in. 2.7 Session Fixation - Countermeasures ...