To invalidate old sessions when a user changes their password, you need to add the

revoke_active_sessions

hook to your settings flow configuration. This will terminate all active user sessions when they change their password, forcing anyone with access to the account to re-authenticate using the new password. Here's how to configure it:

yaml selfservice:   flows:     settings:       after:         password:           hooks:             - hook: revoke_active_sessions

This configuration adds the

revoke_active_sessions

Ory Action to the hooks that run after a successful password change in the settings flow, which will revoke all other active sessions for that user. [Revoke other active user sessions after changing the password](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) explains this functionality in detail. This approach is similar to what's available in the account recovery flow, where you can also configure the system to [invalidate other sessions after account recovery](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions). After implementing this hook, when a user changes their password through the settings flow, all their other active sessions will be terminated, and they'll need to log in again with the new password.