selectively inhibit previous session

Jim Fox fox at
Fri May 22 18:33:18 UTC 2020

> Yes. It's attached to the flow as a configuration setting that means "attach this to every result created by this flow".

The methods we've discussed are starting to seem awfully heavyweight for a 
condition that occurs maybe once in a couple hundred thousand logins. 
Thanks for the discussion though.  I've learned quite a bit from it.

My new plan:  I can detect in my mfa script 1) if a user is in the 
compromised condition (method local to my situation) and 2) if the 
Password result used a previous session.  From there I can invalidate the 
session and basically let the user start over.

I think I could destroy the session with a subflow that just deletes the session 
cookie, but that that seems kinda crude.  Is there a better way for me to invalidate 
the session and then run the user through Password again?

If all else fails I can redirect the user to Logout and tell them to start over.



More information about the users mailing list