[BUG] Active session termination does not invalidate remote browser sessions (security vulnerability)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When a user terminates a session via claude.ai > Settings > Account > Active Sessions, the browser session on the remote machine is not invalidated. The remote browser remains logged in and can re-authenticate Claude Code automatically.
This means a user who has lost physical access to a device cannot revoke access to their account. claude.ai does not support passwords or 2FA, so there is no secondary mechanism to prevent re-authentication from a browser with a persistent session.
This is not a duplicate of any CLAUDE_CONFIG_DIR issue. This is about server-side session invalidation failing.
What Should Happen?
Terminating a session in Active Sessions should immediately invalidate the session cookie on the server side, causing the remote browser to be logged out on next request. The "Log Out" (all sessions) button should do the same for all sessions.
Error Messages/Logs
Steps to Reproduce
- Log into claude.ai in a browser on Machine A.
- Authenticate Claude Code on Machine A via the browser.
- From Machine B, go to claude.ai > Settings > Account > Active Sessions.
- Terminate the session for Machine A.
- On Machine A, the browser remains logged in and Claude Code can re-authenticate.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
N/A
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
Previously filed as #37803, which was incorrectly auto-closed as a duplicate of #30538 (CLAUDE_CONFIG_DIR). These issues are unrelated. Related issues: #34198, #22995.
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗