5dd5847d4b
After a successful password change, revoke all browser sessions for the same user except the one that submitted the request. This prevents stale sessions on other devices from remaining valid after credentials are updated. Keep API-token behavior unchanged. The current browser session is preserved so the user can continue from the tab that changed the password. Add focused regression tests for preserving the current session, revoking other sessions, persisting revocation, and avoiding revocation when the current password is incorrect.
21 KiB
21 KiB