During testing it was found that if a user revoke his all active session, then also user is able to make changes to his account.
If a victim account is hacked and he wants to revoke all his sessions, but since the configuration provided is not proper, he won’t be able to revoke all active user sessions as attacker is still able to make changes to hacked account.