Ideas for Arc XP

Disallow token refresh after a password change

If a password is compromised and the user changes it, the attacker's session will remain logged in for the session duration (which in our case is 1 year).

It would be better to not allow JWT refresh after a password change, hence limiting the attacker's use of the account to at most 15 minutes.

  • Rob W
  • Jun 14 2022
  • Future consideration
  • Attach files
  • Admin
    Jessica Cavallo commented
    21 Jul 04:29pm

    Thank you Rob for the Idea! We're looking into the work required to do this since this would be a good change for better security. Once we have a LoE and timing for release we will let you know.