Description: In my application, when I log in from multiple devices and initiate a password reset on one of them, the login sessions on other devices remain active, and the access token remains valid until it expires. It is not being invalidated.

While searching for a solution in the community forum, I came across this discussion:

[Invalidating an Access Token after User Logout]

I’m curious to understand why the access token isn’t invalidated. Even if we manage to terminate other sessions, the token remains valid, posing a significant security risk, as an attacker could continue accessing APIs until it expires.

I would like to understand this architecture better and find a solution to address this issue.

Hi @jayaprakashkumar18,

Welcome to the Auth0 Community!

The reason why your session is not being invalidated after a password reset has to do with the application session still being active.

I suggest referring to our User is Not Logged Out after Password Reset knowledge solution for more information around terminating the application session after a user has reset their password.

Let us know if you have any additional questions.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.