Hi,
Is there a way to revoke / destroy all active sessions after a user has reset their password?
The issue we face is…
Suppose user’s password has been compromised somehow, and the attacker has logged in to user’s account. Now after the user resets their password, the session on attacker’s system stays active.
Is there any way to clear all old sessions after the password is reset? We’re using @auth0/nextjs-auth0
npm package to integrate authentication in our application, but couldn’t find a way to clear application sessions related to user’s account.
Hi @shoeb.malik ,
Welcome to the Auth0 Community!
Regarding the Auth0 session, our docs do say that resetting a user’s password makes their session expire: Change Users' Passwords. But, this does nothing to kill the application session layer.
This article is more recent and includes some basic recommendations: Users is Not Logged Out after Password Reset.
Then, you might find our OIDC Back-Channel Logout feature helpful. It can only be implemented for applications that have a backend, but it lets applications subscribe to session termination events, like password change, and then terminate the application session layer: OIDC Back-Channel Logout Initiators. Here are the more general docs on how this feature works: OIDC Back-Channel Logout
Other information can be found in these articles:
Please let me know if this helps.
Thanks,
Timotei