When a user changes their email or password, other sessions are logged out for security reasons.
Page Contents

When a user’s account is compromised (for example their password is leaked or an attacker gains access to their email account), the app needs to be able to prevent continued use of the hijacked account.

To address this case, LoopBack invalidates access tokens (logs out sessions) when a change of password or email was detected. By default, this feature is disabled in 2.x LTS for backwards compatibility and a warning is printed at startup time to notify the app developer about a possible security issue.

To enable access-token invalidation, set the flag logoutSessionsOnSensitiveChanges to true in the server/config.json file.


  "restApiRoot": "/api",
  "host": "",
  "port": 3000,
  "remoting": {
    // ...
  "logoutSessionsOnSensitiveChanges": true,

To allow the access-token invalidation code to detect and preserve current sessions, enable context propagation via the “options” argument in the settings of your User model. You can’t change this setting in the built-in User model. Instead, configure a custom model that extends the built-in User model.

Example of a Customer model extending the built-in User model:

  "name": "Customer",
  "base": "User",
  "idInjection": true,
  "options": {
    "injectOptionsFromRemoteContext": true,
    "validateUpsert": true
  "properties": {},
  "validations": [],
  "relations": {},
  "acls": [],
  "methods": {}