Kill all active session after password reset

Hi,

Is there any way to kill all active sessions that are active in different tabs or window.
Scenario : If i open application in multiple tabs and reset password in one tab, i could able to login with old password in other tabs.

Hi,

Thanks for reaching out. I tried testing this and when reseting a users password while they have an existing session I was seeing this session cleared when reloading the logged in tab. Are you seeing this not happen with your users? Can you provide any further details on how you’re resetting user passwords?

My scenario is,
I have logged into two browsers Microsoft edge and chrome, when i reset my password in chrome and just do API call in edge browser(no reload of application) that would give me proper data without logging out. Usually that should be logged out.

I have set Redirect To as logout URL in email template change password that would logout my application and redirected to login page again.

Is this an issue in Auth0.

I can confirm.

The security risk is when a user forgets to sign out and delete the active browser session at a public place.

A user has no way of invalidating all active sessions, not even with a password reset.

Steps to reproduce:

  1. Login with browser B1 to create session S1
  2. Login with browser B2 to create session S2
  3. Request password reset in browser B2; confirm to change password
  4. Use new password to login with browser B2 to create session S3

Even after resetten the password, session S1 in browser B1 remains active and can be abused.

I recon this scenario can also be abused when a session can be duplicated by an attacker. Even when the victim is alerted by the session duplication it has no way mitigating the attack by ending all sessions and re-authenticate.

I can’t reproduce the issue in the original post, as well as the last one by @larsatfugacloud

Just to confirm: you are talking about Auth0 sessions, not application sessions, right?
Referring to the different session layers as described at https://auth0.com/docs/sessions

Auth0 sessions are reset when a user’s password or email address changes.