I have a cordova app that logs users in based on their devices model+platform+uuid. For example: Pixel 2Android39798721218. The way this works when a user uses a new device is detailed in the following:
- Users opens app
- App sends uuid code to checking page like: login-uuid?id=(uuid_here)
- If the uuid does not exist in the database the user is directed to a login page with the url: login?uuid=(uuid_here)
- User logs in and the uuid is sent to the login backend where it gets stored in a database
- When the user opens the app again they are logged in because their uuid is in the database
My question is basically, if someone knows a users login details. They can navigate to login?uuid=foo and then even if the user changes their password the attacker can still login by navigating to login-uuid?id=foo. Is there any way to mitigate this or will simply removing all logged in devices when a user resets there password be enough?