Hubspotutk cookie with several users on the same machine



I have trouble understanding how hubspotutk cookie works.

Here is my use case:
When a user signs in in my app, I expect a hubspotutk cookie to be set in the browser. This works fine. Then the user logs out. When another user signs in on the same machine, same browser, I'd like him/her to be identified as another contact in hubsppot, and not the same as the previous user.

At the signin (and the signup, if it matters), I use the Forms API to interact with Hubspot.

What I expect:
When the second user signs in, another hubspotutk cookie is set, different from the cookie of the first user.

What I get:
When the second user signs in, the hubspotutk cookie of the previous user is used in the browser, even if I clear cookies between the two sessions. As a consequence, I have only one contact in hubspot that is a mix between the two users.

How it is implemented
In my app, I have the following tracking code in every page of my app:
<script type="text/javascript" id="hs-script-loader" async defer src="//<%= Figaro.env.HUBSPOT_FORMS_HUB_ID %>.js"></script>

After the signin, I call the Form API from my backend

My question
Why do I have the same hubspotutk cookie between two sessions? Even when the second user is not logged and the cookies cleared, the hubspotutk cookie is magically restored when the user refreshes the page. How does hubspot associate this cookie to the machine? Is it via its IP address?

Anyway, how to handle the use case where several users use the same machine?

Thanks for any tip.


Hi @Remi_Doolaeghe! I think the main question I have for you is why are you deciding to use the Forms API? We do have an identify a visitor function as a part of our tracking code API which you could use on Login. You can then use the remove cookies function after they log out.

Overall, one cookie will be associated with one browser when a new visitor visits your site, but clearing cookies between each visit should clear out the cookie for that user. The next time a visitor visits the page, a new cookie should be dropped into the browser. The cookie is not associated via IP Address. So if you tie a specific cookie to a user on login, then clear it, then another user logs in on the same device, this should work. It may be possible you're passing in the old cookie when implementing the login flow, but I can't be certain. I do think that the tracking code API would be your best bet though, since we can tell the tracking code specifically to remove the code via