Open
Description
This vulnerability can cause problems if an account is compromised and
the user requests a new password to protect his data and account.
Because after changing the password, using the recovery form, all
existing sessions aren't destroyed or invalidated, the attacker can
still use the victim's account, even if he doesn't know the password
anymore.
In this situation, the scenario where for an account can exist two
different sessions created with two different passwords can be possible.
If you consider this issue important, we'll try to send a pull request quickly.
Yours respectfully,
Alex