As part of the Heartbleed event, I have upgraded OpenSSL, reissued and replaced certificates and revoked the old ones and changed passwords however, I am also seeing advice to invalidate all session cookies (https://security.stackexchange.com/a/55089/18057) but I cannot find out how to do this.
Does this just apply to PHP sessions, for example, or is it more than this? What do I need to do to ensure all session keys and cookies are invalidated?
Thanks
The easiest way to invalidate all in memory sessions is simply to restart your application server(s), which will clear the in memory session cache and make everyone's session cookies invalid.
Also, if you are using a login framework that supports persistent logins (you are if you have a 'remember me' checkbox on your login form), then you can and should delete all the persistent logins from your database too.
One note is that if you have shared session state between your application servers in a centralized cache (a not uncommon setup in a load balanced configuration where sticky sessions are not supported), then that cache will need to be flushed.
