Kill all active session after password reset

Hi,

Is there any way to kill all active sessions that are active in different tabs or window.
Scenario : If i open application in multiple tabs and reset password in one tab, i could able to login with old password in other tabs.

My scenario is,
I have logged into two browsers Microsoft edge and chrome, when i reset my password in chrome and just do API call in edge browser(no reload of application) that would give me proper data without logging out. Usually that should be logged out.

I have set Redirect To as logout URL in email template change password that would logout my application and redirected to login page again.

Is this an issue in Auth0.

I can confirm.

The security risk is when a user forgets to sign out and delete the active browser session at a public place.

A user has no way of invalidating all active sessions, not even with a password reset.

Steps to reproduce:

  1. Login with browser B1 to create session S1
  2. Login with browser B2 to create session S2
  3. Request password reset in browser B2; confirm to change password
  4. Use new password to login with browser B2 to create session S3

Even after resetten the password, session S1 in browser B1 remains active and can be abused.

I recon this scenario can also be abused when a session can be duplicated by an attacker. Even when the victim is alerted by the session duplication it has no way mitigating the attack by ending all sessions and re-authenticate.

I can’t reproduce the issue in the original post, as well as the last one by @larsatfugacloud

Just to confirm: you are talking about Auth0 sessions, not application sessions, right?
Referring to the different session layers as described at https://auth0.com/docs/sessions

Auth0 sessions are reset when a user’s password or email address changes.

Hello, a bug bounty hunter just reported the same to us and he talks about Auth0 session. Can you confirm that this is no true? The report we received:

Suppose, you have an account https://lumeer.eu.auth0.com/login?state=

Somehow an attacker manage to get your password and logged in your account… after knowing that your ID has been compromised what you’ll do ?
I guess first thing that will popup into your head is, “I should change my password!” and you’ll change the password… maximum users just change his/her password when they recover their ID.
in https://lumeer.eu.auth0.com/login?state=//users/sign_in changing the password doesn’t destroys the other sessions which are logged in with old passwords.

(Logging in with the new password doesn’t invalidate the older sessions either)
As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active… he’ll have complete access on your account till that session expires!
So, your account remains insecure even after the changing of password.