Is there a way to revoke / destroy all active sessions after a user has reset their password?
The issue we face is…
Suppose user’s password has been compromised somehow, and the attacker has logged in to user’s account. Now after the user resets their password, the session on attacker’s system stays active.
Is there any way to clear all old sessions after the password is reset? We’re using @auth0/nextjs-auth0 npm package to integrate authentication in our application, but couldn’t find a way to clear application sessions related to user’s account.
Regarding the Auth0 session, our docs do say that resetting a user’s password makes their session expire: Change Users' Passwords. But, this does nothing to kill the application session layer.
Then, you might find our OIDC Back-Channel Logout feature helpful. It can only be implemented for applications that have a backend, but it lets applications subscribe to session termination events, like password change, and then terminate the application session layer: OIDC Back-Channel Logout Initiators. Here are the more general docs on how this feature works: OIDC Back-Channel Logout