When a user changes their password, either via reset or the account settings page, we probably want to invalidate all of their sessions for security purposes. This might require changes to how we store sessions in Redis, since currently, I think it's only possible to get a user ID for a given session ID, not the other way. Enumerating all active sessions would be slow...
I'm also not sure if this is something that should apply to connected applications (DaltonTab and whatever) too? Maybe just link to the applications page after changing the password?
When a user changes their password, either via reset or the account settings page, we probably want to invalidate all of their sessions for security purposes. This might require changes to how we store sessions in Redis, since currently, I think it's only possible to get a user ID for a given session ID, not the other way. Enumerating all active sessions would be slow...
I'm also not sure if this is something that should apply to connected applications (DaltonTab and whatever) too? Maybe just link to the applications page after changing the password?