Auth0 Home Blog Docs

SPA: Invalidate all sessions on password change

lock
management-api

#1

Our application is comprised of an Ember.js SPA and a Rails API. We’re using lock.js.

Here’s the flow we have an issue with:

  1. Browser A is logged in
  2. Browser B is logged in

Now imagine a user logged into Browser A and B discovers she has been compromised. So the first thing she does is reset her password.

  1. Browser A requests a password change, receives the password change email, clicks the reset link and resets the password.
  2. Browser A remains logged in after the password change.
  3. Browser B appears to log the user out, but can simply click “log in” again, and click on their account listed under “last time you signed in with” and they are logged in again, without needing to know the updated password!

Step 5 is where everything goes wrong. Browser B should be forced to enter the new credentials to login again, but instead seemingly can just continue with the convenient last account used button.

You can just disable rememberLastLogin on Lock.js (https://github.com/auth0/lock) to avoid providing the last login button… but step 5 suggests that the frontend is still able issue new sessions with old credentials.

Ultimately this all boils down to: is it possible invalidate all other sessions and credentials when their password is reset? Forcing them to fully re-authenticate.

Thanks,
David.


#2

Others here are much better qualified to answer this than I am but I believe the short answer is “no”. Once a token is issued it is valid until it expires. You can set short expiry times like we do, but there is still a window where this sort of thing (there are other scenarios where this pops up) will happen.

I suspect you could get around it by having your app ping Auth0 for some indication of a change on the profile. E.g. check updated_at but even then you need to decide how often to check the user profile.