0
kansoftware created
Hello Team,
I want to implement a mechanism that invalidates all existing sessions when a user changes their password, requiring re-authentication for all active sessions.
Impact: The vulnerability allows an attacker to retain access to an account even after a password change, compromising user security.
Please let me know if there is any existing functionality for this, or how I can implement it.
1 Answer(s)
-
0
Hi @kansoftware
Here you can update the user's Security Stamp information. This process causes the relevant user to log out of all open sessions.
await UserManager.UpdateSecurityStampAsync(user);You can use this method after changing the user's password. In the Reset Password method, it can be used after user update.
