Steffen
Well-known member
It seems like it's best-practise to invalidate other sessions on 2FA activation/change ([1], [2]). At the moment, XenForo seems to invalidate other sessions on password change but not on 2FA activation/change.
The scenario goes like this:
The scenario goes like this:
- Log in to the same account with two different browsers
- Enable 2FA in one of the logged-in sessions
- Observe that the other browser's session remains active
Upvote
3