Access Management 7.4.1

Session invalidation

There is currently no automatic mechanism to delete existing user sessions when the user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:

  • Use the logoutByUser action, specifying the username in the request payload.

    This action can be used for server-side and client-side sessions and is described in Invalidate all sessions for a user.

  • Use a query to locate all sessions for a user, then use the logoutByHandle action to invalidate those sessions.

    This action can be used for server-side sessions only and is described in Invalidate specific sessions.

Copyright © 2010-2024 ForgeRock, all rights reserved.