Session invalidation when changing password

[fballiano]

Hi everybody, I've received this email:

do you think it makes sense? should it be considered a bug?

[elidrissidev]

In my opinion, old sessions should be invalidated after a password is changed. I think this may be possible without even re-authenticating the customer?

[addison74]

I think I read about such an issue not so long ago. may have even been in a PR. I personally consider that when someone changes the password the session must end and a new login would be required. I did not analyze in detail but this is the first idea that comes to me at the moment for security purposes.