Home > database >  Azure B2C session not expire after password reset
Azure B2C session not expire after password reset

Time:01-27

I have open two browser window on two diferent web browser with my application. I notice if I am using a local Azure AD account and I reset my password in first open window. The session in the other window remains logged in, even if I refresh the window. Why B2C use previous authentication? How can I change it?

This is dangerous because, user doesn't have possibility to logout from all session in case e.g. he forgot logout in library, school etc.

Of course exist solution, to logout every time when user open new window, but method with remain logged is user friendly.

CodePudding user response:

It is because the logged in tab is not using the session cookie or refresh token to perform any action. It is using the access token, which cannot be revoked. Once the access token expires, and the refresh token is used, then this will fail. And then the session cookie will be used, and this may or may not work depending on whether it has expired.

You can use this sample to revoke the session.

The sample revokes the cookies based on the refresh token valid date-time, which is automatically set to the 'current time' when password reset is performed.

This means, all the users devices will be logged out once the access token expires.

Page link:https//www.codepudding.com/database/278103.html

Prev:How to add trial to stripe checkout using ASP.NET Core
Next:Memory Over Flow if I Use a lot of session
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding