Behavior after password change

I’m really confused what happens after password reset. I have React and Express applications in my tenant. In my React, I have password reset button, which sends a link to an email containing password reset flow. Now, after user resets their password, what happens after that? If I have two browser instances with the same logged in user, how do I manage to log out both of them? What’s the best practice there? Or why do I have to do this myself, why it’s not already implemented? Logically, it’s mandatory to log user out everywhere after password reset.

Hi @figureouter

Welcome to the Auth0 Community!

When the user resets their password through a link such as a password change ticket, the user’s sessions are all invalidated across devices/browsers and they should be asked to re-authenticate.

If you have any other questions, let me know!

Kind Regards,
Nik

I’m doing like this

const response = await fetch(`https://${DOMAIN}/dbconnections/change_password`, {
			method: 'POST',
			headers: {
				"Content-Type": "application/json",
				"Accept": "application/json",
			},
			body: JSON.stringify({
				"client_id": CLIENT_ID,
				"email": user.email,
				"connection": 'Username-Password-Authentication',
			}),
			redirect: 'follow'
		});

It emails a link and I successfully change the password. But it doesn’t log me out when I refresh my tab inside the browser.

Hey nik. Can you reply to my latest question? Thanks.

Hi again!

I am sorry about the delayed response.

I have tested using one of our sample applications and using multiple browsers.

After the user was logged in on both Chrome and Firefox, I have submitted a cURL request for the password change email, the same as you have used above and the users sessions have been both terminated and asked to log in again.

I believe that your application might be persisting the application session of the user after they got terminated due to the password change or their session is being refreshed.
I would recommend to check your logs to see if any kind of silent authentication is performed after the password has been changed for the user.

Let me know if I can help with anything else on the matter and what are your findings in the logs!

Kind Regards,
Nik

Thank you nik for your time!

I’ve observed that the reason is cacheLocation='localstorage' which I’m setting on Auth0Provider inside my React app. when I remove this line, it works pretty well.

I’m using this because without it my application is pretty slow as it has to get access token every time I visit some page.

Is there any way to solve both problems? Like keeping my application fast when retrieving access token with getAccessTokenSilently (like with local storage) and log user out after password reset.

Thanks.

Hi again.

Regarding this matter, I believe the following community post will be helpful:

Otherwise, I would recommend to either check the user session by using the isAuthenticated() method available within the SDK as mentioned in the above post or to provide a prompt to the user that by requesting the reset password email they will be logged out - if they accept, the email will be sent and the user will be logged out so that they are forced to re-authenticate.

If I can help with anything else, let me know!

Kind Regards,
Nik

Hi nik, what do you mean by forcing user to log out? Won’t this method log out only the person trying to reset the password? And not the possible attacker logged in another place?

Can you respond nik? Also, if an old access token is still valid after password reset, what’s the point of logging out?

Hi,

I am sorry about the delayed response.

By logging out I am referring to either redirect the user to the /logout endpoint for their current session, meaning that an attacker would get logged out but the user’s session on their device would remain uninterrupted.

Alternatively, you can also terminate all of their sessions on password reset request as documented here.

I would recommend the first approach if you are retrieving the access token frequently in order to persist the session.

Also, if an old access token is still valid after password reset, what’s the point of logging out?

In this scenario, I would recommend to have access tokens with a short lifespan and extend the user’s session by using refresh tokens. However, if you are using isAuthenticated(), you would retrieve the access token only if the user has a session valid, meaning that if they will be logged out after asking for a password reset in your scenario, the access token will not be retrieved because isAuthenticated() will return false.

Kind Regards,
Nik