Code Room
On-callHardoc-g355
Subject Account takeoverLevel Senior–Staff~40 minCommon in Reliability & on-call interviewsIndustries Software development, Technology

Question

A handful of users report that accounts they *logged out of* on a shared/public machine were later accessed by someone else — actions taken hours after they left. Your auth team confirms: logout clears the cookie in the browser but your API authorizes via a **stateless JWT** (24h expiry) and there's no server-side session/denylist, so a token captured before logout (e.g. via a shared browser's history, a proxy, or a copied cookie) keeps working until natural expiry. Login success rate, error rate, and traffic all look completely normal. How do you triage the scope, contain it, and fix it without logging out all 4M active sessions if you can avoid it?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.