Comment 0 for bug 1328705

Reported by Turzo Ahmed <email address hidden>

In Mahara, changing the password doesn't destroys the other sessions which are
logged in with old passwords.
As other sessions is not destroyed, attacker may be still logged in your
account even after changing password, as his session is still
active.. he'll have complete access on your account till that session
expires!
So, your account remains insecure even after the changing of password.

We have 2 options to solve
1. Delete all active sessions right after an user changes his/her password
2. Facebook solved this issue by adding a process that asks
users whether user want to close all open sessions or not right after
changing password.