v3.6.8 8 February 2026

Session Invalidation on Password Change

Name: SpeyBooks
Price: 15.00 GBP
Availability: OnlineOnly
Author: William Murray

Refresh tokens are now invalidated when a user changes their password.

Password change revokes all existing refresh tokens immediately
New tokens include a generation identifier validated on each refresh
Mismatched generation returns 401 — user must re-authenticate
Existing login sessions are unaffected until their refresh token expires or is used

This ensures a compromised session cannot persist after a password change.