diff --git a/webadmin.go b/webadmin.go
index f62d5ac..be2675e 100644
--- a/webadmin.go
+++ b/webadmin.go
@@ -31,6 +31,7 @@ import (
 	"html/template"
 	"log"
 	"net/http"
+	"os"
 	"path"
 	"strings"
 	"time"
@@ -579,8 +580,6 @@ Are you sure you want to continue?`, share.UUID, share.Name)
 	ar.Post("/delete-user", func(w http.ResponseWriter, r *http.Request) {
 		sessionContext := h.buildSessionContext(w, r)
 
-		// TODO invalidate sessions
-
 		if sessionContext.user.Role != GlobalRoleAdmin {
 			sessionContext.Unauthorized()
 			return
@@ -605,6 +604,9 @@ Are you sure you want to continue?`, user.Username, user.Role)
 				return
 			}
 		}
+
+		invalidateSession(sessionStore, user.Username)
+
 		sessionContext.Redirect("users")
 	})
 	ar.Route("/change-password", func(r chi.Router) {
@@ -648,6 +650,8 @@ Are you sure you want to continue?`, user.Username, user.Role)
 				return
 			}
 
+			invalidateSession(sessionStore, sessionContext.user.Username)
+
 			sessionContext.Redirect("./")
 		})
 	})
@@ -785,3 +789,28 @@ func userFromContext(r *http.Request) *User {
 		return nil
 	}
 }
+
+func invalidateSession(store *buntdb.DB, username string) {
+	err := store.Update(func(tx *buntdb.Tx) error {
+		var sessionIds []string
+		if err := tx.AscendKeys("*", func(key, value string) bool {
+			if value == username {
+				sessionIds = append(sessionIds, key)
+			}
+			return true
+		}); err != nil {
+			return err
+		}
+
+		for _, sessionId := range sessionIds {
+			if _, err := tx.Delete(sessionId); err != nil {
+				fmt.Fprintf(os.Stderr, "cannot remove session: %v\n", err)
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "cannot invalidate session: %v\n", err)
+	}
+}