Auth0 is not invalidating all the active session after password reset : Nextjs 14

Hi,

Is there a way to revoke / destroy all active sessions after a user has reset their password?

The issue we face is…

Suppose user’s password has been compromised somehow, and the attacker has logged in to user’s account. Now after the user resets their password, the session on attacker’s system stays active.

Is there any way to clear all old sessions after the password is reset? We’re using @auth0/nextjs-auth0 npm package to integrate authentication in our application, but couldn’t find a way to clear application sessions related to user’s account.

Hi @shoeb.malik ,

Welcome to the Auth0 Community!

Regarding the Auth0 session, our docs do say that resetting a user’s password makes their session expire: Change Users' Passwords. But, this does nothing to kill the application session layer.

This article is more recent and includes some basic recommendations: Users is Not Logged Out after Password Reset.

Then, you might find our OIDC Back-Channel Logout feature helpful. It can only be implemented for applications that have a backend, but it lets applications subscribe to session termination events, like password change, and then terminate the application session layer: OIDC Back-Channel Logout Initiators. Here are the more general docs on how this feature works: OIDC Back-Channel Logout

Other information can be found in these articles:

• Invalidating an Access Token after User Logout
• Clear Auth0 session cookie inside Action
  
  

Please let me know if this helps.

Thanks,
Timotei

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.