According to Tom's magic 8 ball:
"Logging them out with a warning seems like the safer route."
so I the user still will be logged out but I added the message:
"Password changed successfully. Next, you will be required to authenticate with your new credentials"