In my application I want to invalidate all previous userpool sessions of a particular user when user is signing in again from a different device. But the problem is after calling global signout the session on previous device is still valid. Even after changing the password, the session on previous devices are still there.
userPool.getUser("xyzzz").getSessionInBackground(authenticationHandler);
After calling above code on previous device, it directly returning the user session with new tokens instead of calling getAuthenticationDetails for password.
Is there any way to have only one session at a time for a cognito user.
When calling global signout, Cognito invalidates all access and refresh tokens associated with that particular user. It does not invalidate the id token so that can still be used.
If you try to getSessionInBackground on Android, it checks if the tokens are valid (if the expiration date is valid) in order to return them. However, when you try to use access and refresh tokens, they will not work. When using id tokens, they will expire after one hour. If you can give exact steps for reproducing this, we can investigate further.