Log user out of all currently active sessions?

Is there any way to log a user out of all of their currently active sessions?

Similarly, is there a way to ensure my users can have only one active session at a time?

1 Like

In terms of terminating every authenticated session at the identity provider (your Auth0 account) and associated with a given user this is currently not possible. I’ve seen discussions around this so it’s likely a functionality that will be available in the future, but at this time I cannot provide you any further information about this.

In relation to ensuring only one active session this is more client application specific as in general there does not seem to be a strong use case to impose this at the core identity provider level. In conclusion, at this time, you can already implement active session restrictions either directly in your client application logic.

I disagree that single-session-per-user shouldn’t be an Auth0 feature. Since for many of us Serverless folks, Auth0 is the session system (and that is so in our case). This is also a security feature that could be very helpful.

That being said, if there was an API to allow us to log a user out of all other active sessions, I think that would work too. I know there’s a way in Auth0 to log out all other active sessions, since I’ve had it happen accidentally on me already. The session needs to be logged out on the Auth0 side, otherwise they would still be able to access user metadata.

2 Likes

I disagree that single-session-per-user shouldn’t be an Auth0 feature. Since for many of us Serverless folks, Auth0 is the session system (and that is so in our case). This is also a security feature that could be very helpful.

That being said, if there was an API to allow us to log a user out of all other active sessions, I think that would work too. I know there’s a way in Auth0 to log out all other active sessions, since I’ve had it happen accidentally on me already. The session needs to be logged out on the Auth0 side, otherwise they would still be able to access user metadata.

As mentioned the ability to log a user from all session is something that I’ve seen discussed, but to my knowledge there’s no supported way of requesting that at the moment. In relation to the single session requirement, what I stated is my personal opinion as I believe it should be a client application concern. However, it’s just my opinion. You could consider rejecting transaction through a rule as that would be like imposing the single session at the IdP and not at the client application.