This document:Public document·View comments·Disposition of Comments·
Nearby:Mobile Web Best Practices Working Group Other specs in this tool Mobile Web Best Practices Working Group's Issue tracker
Quick access to LC-2265 LC-2266 LC-2271 LC-2272 LC-2273 LC-2274 LC-2275 LC-2276 LC-2277 LC-2278 LC-2279 LC-2280 LC-2281 LC-2282 LC-2283 LC-2284 LC-2285 LC-2286 LC-2287 LC-2288 LC-2290 LC-2291 LC-2292 LC-2293 LC-2294 LC-2295 LC-2296 LC-2297 LC-2298 LC-2299 LC-2300
Previous: LC-2296 Next: LC-2297
3.3.4 Consider adding something along the lines of "If devices persist authentication tokens then the server MUST invalidate them if the user changes or resets their password" This is especially important with mobile devices that are often lost/stolen and provides a user with a way to after the fact lock the phone out of web applications it had previously been authorised for.