selectively inhibit previous session

Cantor, Scott cantor.2 at
Thu May 21 21:13:24 UTC 2020

On 5/21/20, 5:08 PM, "users on behalf of Jim Fox" <users-bounces at on behalf of fox at> wrote:

> How can I inhibit the previous session handler based on the user's login 
> id?  (This would be, say, to prevent reuse of a session from a stolen 
> password login.)

The design is built around not worrying about the session, it doesn't matter. What you want to inhibit is the authentication results from being reused, and all of them have a reuseCondition attached to control that now.

However, I created a regression in 4.0 that prevents the conditions from being properly attached to subresults in the MFA flow when they're pulled back out, it's hopefully fixed in 4.0.1.

-- Scott

More information about the users mailing list