Is there a way to revoke / destroy all active sessions after a user has reset their password?
The issue we face is…
Suppose user’s password has been compromised somehow, and the attacker has logged in to user’s account. Now after the user resets their password, the session on attacker’s system stays active.
Is there any way to clear all old sessions after the password is reset? We’re using
@auth0/nextjs-auth0 npm package to integrate authentication in our application, but couldn’t find a way to clear application sessions related to user’s account
From everything I have seen Auth0 likes to answer with the crap answer of “Auth0 session ARE revoked” but then don’t offer any kind of reasoning on how your application is supposed to recieve that state update.
And unless someone can prove me wrong, there is no actual mechanism for notifiying your application that the state change has occured, leaving your user vulernable to futher attacks while awaiting your application session to end.
Pretty much if you authenticate every single request instead of using any kind of session on your end, then you are good. It would be detectable. But, basically they dont have any availible trigger mechanism to update your side that it has occurred. If they even had a modicum of care they would provide something akin to a webhook call as part of setup to recieve important state changes and take action. But they dont. Signed URLs are child’s play, but Auth0 doesn’t really care.
That is why they close these posts soooo quickly. In their mind, its not their problem. But it is infact is. Basically if you need to be able to force application session ending on password change, Auth0 is not for you.
I would loooovve to be proven wrong as we are currently looking to leave Auth0 over this.
Did you find any other vendor that does this?
My guess would be that you need to call checkSession at regular interval to revalidate the current session.
- Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling
checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.