I am currently working with Kentico 10 and using a custom logon form web part for user authentication.
I have encountered an issue related to session handling after a user password change. Here's the scenario:
A user logs in with the same credentials on two different browsers (e.g., Chrome and Edge).
The user then changes their password on one browser (e.g., Chrome).
When switching back to the other browser (e.g., Edge) and reloading the page, the session remains active, and the user is still logged in, despite the password having changed.
This seems to be a security concern, as ideally all active sessions for that user should be invalidated once the password is updated.
To handle this, I have attached a custom event handler using:
UserInfo.TYPEINFO.Events.Update.After += PasswordUpdate;
Within this handler, I attempted to write custom logic to force logout other active sessions for the user. However, this logic is not working as expected—sessions in other browsers remain valid even after the password is updated.
I would appreciate your guidance on the following :
Is this the correct event handler for detecting password changes in Kentico 10?
If not, what is the appropriate event or method to hook into for password update detection?
What is the recommended way to programmatically force logout other active sessions for a user after their password has changed?
Are there any built-in APIs or workarounds in Kentico 10 to achieve secure session invalidation on password updates?
Your guidance on how to properly implement secure session invalidation in this scenario would be greatly appreciated.