Welcome to the Auth0 Community!
Thank you for posting your question. First of all it’s worth to mention that resetting a user’s password makes their session expire on the Auth0 server side, but note that there are different session layers (please see Sessions)
and invalidating the Auth0 session layer does not mean invalidation of the Application session layer. The application would need to clear the local application session; a different browser would have its own local session via cookies, for example.
There’s no best answer to the question of what is the best approach, as it will depend. Here’s a link to the Solution from Knowledge Solution that should clear what the options are with Auth0 right now → User is Not Logged Out after Password Reset
It’s not mentioned in the post, so please keep in mind that the Access Tokens and ID Tokens cannot be revoked, as this is by design. Depending on the use case, you can lower the lifetime for the Access Tokens or ID Tokens and use refresh tokens.
Thanks!
Dawid