Netflix doesn't logout other open sessions with password change

Question

I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.

So my question is how does authentication for Netflix work if it doesn't have to locally store your password?

Answer 1

Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.

Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.

Lets use facebook as an example: (response to comment below)

https://www.facebook.com/settings?tab=applications

This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.

Answer 2

This doesn't technically answer the question, but is related and, I think, helpful:

You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.

(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)