---
title: Session invalidation
description: Authenticated sessions aren't deleted automatically when a user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:
component: pingam
version: 8.1
page_id: pingam:security:session-invalidation
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/session-invalidation.html
page_aliases: ["security-guide:session-invalidation.adoc"]
---

# Session invalidation

Authenticated sessions aren't deleted automatically when a user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:

* Use the `logoutByUser` action, specifying the username in the request payload.

  This action can be used for server-side and client-side sessions and is described in [Invalidate all sessions for a user](../am-sessions/managing-sessions-REST.html#invalidate-sessions-user).

* Use a query to locate all sessions for a user, then use the `logoutByHandle` action to invalidate those sessions.

  This action can be used for server-side sessions only and is described in [Invalidate specific sessions](../am-sessions/managing-sessions-REST.html#invalidate-sessions-by-handle).