Note that the above will remove the sessions from the db only. The other user will still have them set in their cookies. So if you have not turned on access token blacklisting, their session will continue to work until their access token expires (which by default is 1 hour)