How to invalid all the access token what ever assigned to a

Question

Hi Friends How to invalid all the access token what ever assigned to a user after change password or forgot password. (requirement is like this :- if the use is logged in in multipule devices and he changed password from one device. the other devices should logout automatically. ) i am using AspnetIdentity and webapi 2.0 is there any way to do so ? any Ideas will be appreciated.

Srikant Maruwada · Answer

You can try from following url https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/ After you change the password you also need to change the SecurityStamp: await UserManager.ChangePasswordAsync(User.Identity.GetUserId() model.OldPassword model.NewPassword); await UserManager.UpdateSecurityStampAsync(User.Identity.GetUserId()); If you want the user to remain logged in you have to reissue a new authentication cookie (signin): await SignInManager.SignInAsync(user isPersistent: false  rememberBrowser: false ); Otherwise the user/session who initated the password change will also be logged out. And to log out all other sessions immediately you need to lower the check interval in the config: app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie LoginPath = new PathString( /Account/Login ) Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity ( validateInterval: TimeSpan.FromSeconds(1) regenerateIdentity: (manager user) => user.GenerateUserIdentityAsync(manager)) } });