[hsbauauvhabzb]

Why?

Im all for terminating sessions if the user wants it, but there are valid reasons to change passwords without knowledge of a breach.

Fwiw, terminating old sessions can be pretty hard in SSO systems and similar, though.

[skybrian]

It's bad because when someone suspects unauthorized access to their account, the first thing anyone recommends is to change your password. If the old cookies keep working, changing your password doesn't help.

[uxp8u61q]

The easy and widespread solution to this issue is simply to ask the user if they would like to log out their other devices when they change their password.

[hsbauauvhabzb]

I agree - but it should be an option, rather than permanent.

[newZWhoDis]

LTT found out the hard way, their attacker had a session token for an employee and changing everyone’s passwords didn’t lock the attacker out.

[Zamicol]

So that's how they address the state issue. They just ignore the problem!

I always wondered how they addressed the state problem of cookie bearer tokens.