Session invalidation
There is currently no automatic mechanism to delete existing user sessions when the user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:
-
Use the
logoutByUseraction, specifying the username in the request payload.This action can be used for server-side and client-side sessions and is described in Invalidate all sessions for a user.
-
Use a query to locate all sessions for a user, then use the
logoutByHandleaction to invalidate those sessions.This action can be used for server-side sessions only and is described in Invalidate specific sessions.