Session / remember me is not invalidated on password change

[samdark]

Can be reproduced by logging in using multiple browsers. Then one of the browsers changes password. Another one stays logged in.

That allows potential attacker to exploit old devices and other outdated points of logging in.

Changing password should invalidate all user sessions including "remember me" cookies.