Reset Password does not logout all sessions #8988
Replies: 2 comments 3 replies
-
Changing this to a discussion as this is not a bug and is by design. Recover password is used in scenarios when a user has forgotten the password, as such should not invalidate other sessions. In fact that is pretty common practice. If a user suspect the account has been compromised they will update the credentials through the account console, which gives the option to logout existing sessions. |
Beta Was this translation helpful? Give feedback.
-
Yes I understand your point of view. However I have another case in mind : imagine some of user accounts have been hacked/pawned. If we recommend these users to do a "forgot credentials" to reset their password and recover their account by themselves, then the hacker still has access to the account until session expires. PS : imagine that users do not use the keycloak account page so we can not tell them to do a "logout all session" manually (and this is not very user friendly to tell them to do that :) ) |
Beta Was this translation helpful? Give feedback.
-
Describe the bug
All the sessions of a user are not closed when using "forgot credentials" page.
Version
15.0.2
Expected behavior
When a user is using multiple device (a PC and a mobile device for example) and is logged in on each, if he resets his password on the PC, I expect it to be logged out on all his devices. So it should be loggout out on his mobile device also.
Actual behavior
When a user changes its password in the account page, all sessions are logged out. IMHO this is expected.
When a user changes its password with the "forgot password" page, opened sessions are not closed.
How to Reproduce?
/auth/realms/{realm}/login-actions/reset-credentials
page and reset the passwordAnything else?
No response
Beta Was this translation helpful? Give feedback.
All reactions