Handling zombie sessions after a remote wipeSolved

That is a fantastic scenario, @sybylla, and a very common blind spot. The issue stems from treating hardware security and identity management as the same thing. They operate entirely independently. 

A remote wipe destroys the local data, but your cloud applications have no idea the physical device was compromised. Those stolen session cookies act as bearer tokens; whoever holds them gets access until the token naturally expires. To mitigate this, your security procedures must be updated. The moment a device is reported lost or stolen, your very first step should actually be to force a global session logout and revoke all refresh tokens at your Identity Provider level (like Entra ID or Okta), and then issue the hardware wipe. 

@roosevelt is exactly right about severing the connection at the Identity Provider level, but relying on a technician to manually revoke tokens during a crisis leaves too much room for human error. 

The most effective way to eliminate these zombie sessions is to implement stricter session controls natively. We started enforcing much shorter session lifetimes and utilizing continuous access evaluation based on behavioral signals rather than just hardware status. If an active session suddenly changes IP addresses, jumps to a different geographic location, or presents an unrecognized browser fingerprint, the system immediately recognizes the anomaly. It automatically invalidates the token and forces a strict multi-factor authentication prompt, neutralizing the stolen cookie before the attacker can even use it.