I’m working on a project that has both a website and an Android mobile app. Users can log into both platforms using the same account credentials. The issue I’m facing is when someone updates their password through the web interface, I want their mobile app session to end automatically so they have to sign in again with the new password. What’s the best approach to handle this kind of cross-platform session management? I’ve been thinking about using some kind of token validation but I’m not sure how to implement it properly. Should I check the password change timestamp against the login time, or is there a better way to detect when credentials have been modified on another platform? Any suggestions would be really helpful since I want to make sure the security is solid.
Token versioning is what you need here. I implemented this exact scenario last year and found the most reliable approach is maintaining a version number or hash tied to each user’s credentials in your database. When a password changes on any platform, increment this version number. Your mobile app should include the current credential version in API requests, and your backend validates it against the stored version. If they don’t match, return an authentication error forcing re-login. This method is more robust than timestamp comparisons because it eliminates edge cases with server time synchronization. You can also extend this pattern to handle other security events like email changes or account compromises. The mobile app handles the authentication error gracefully by clearing local tokens and redirecting to login.
hmm interesting approaches above! what about using refresh tokens that get invalidated server-side when password changes? curious tho - how do you handle the ux when users are actively using the app and suddenly get kicked out? do you show a specific message explaining why they need to re-login or just generic auth error?
jwt tokens with expiration work well for this. when password changes, just blacklist the current tokens or change your signing secret. the mobile app will get auth errors on next api call and can redirect to login automatically. way simpler than tracking versions imo, plus you probaly already using jwts anyway