Josh Price

**Name of the Vulnerable Software and Affected Versions** ash-project ash authentication phoenix versions prior to 2.10.0 **Description** The issue affects the ash authentication phoenix library, where session tokens remain valid on the server after a user logs out. This creates a security gap where compromised tokens can continue to work, even after the user logs out. The sessions stored in the database still expire, limiting the duration during which this could be exploited. Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices. However, changing one's password does invalidate all other sessions. This may cause compliance issues with security frameworks requiring complete session invalidation. **Recommendations** Upgrade to version 2.10.0. After upgrading, update the AuthController implementation to use the new `clear session/2` function with the OTP app name. If the setting `require token presence for authentication?` is not set to `true` in the `tokens` section, enable it if possible, or set `authentication.session identifier` to `:jti`. Note that setting `require token presence for authentication?` to `true` or setting `authentication.session identifier` to `:jti` will log out all currently authenticated users if this was not previously configured. As a temporary workaround, manually revoke tokens in the `logout/2` handler in the auth controller.