SPA invalidate all sessions on password change

Hi @dan.woda,

Apologies for late reply. Was stuck in one of the feature completion. Thanks for your guidance.

We didn’t use IDP or Application session so there was no question of those 2 sessions. I checked that in settings, ID token expiration time was 3600 seconds and so changed it to shorter lifetime and everything seems to work fine now.

However, I have 2 questions to completely clarify the matter:

  1. Case 1: I changed ID expiration time to 1 second for testing purpose. I logged in with chrome and firefox. In chrome, I used the reset password link and updated the password. Now, I continue working in older tabs in both browsers. In case of chrome, it is working normally in old tab while in firefox it logs out. Does that mean that when I reset password from a browser then auth0 would invalidate and store new ID token in that browser?

  2. Case 2: I had previous setting of 3600 seconds of ID token expiration time. Like case 1, I logged in with both browsers, reset password in chrome and start using application from same old tabs. I am able to access everything in mozilla also as I have an ID expiration time of 3600 seconds. Now, when I hit refresh, it logs out in mozilla but not in chrome. Because auth0 cookie is invalidated? Is it the case?

Thanks In Advance