Session invalidation
Authenticated sessions aren’t deleted automatically when a user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:
-
Use the
logoutByUseraction, specifying the username in the request payload.This action can be used for server-side and client-side sessions and is described in Invalidate all sessions for a user.
-
Use a query to locate all sessions for a user, then use the
logoutByHandleaction to invalidate those sessions.This action can be used for server-side sessions only and is described in Invalidate specific sessions.