From a7c1ebcc9f9cf678f07cdff48a8266f2e3dded5d Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Sun, 25 Mar 2018 03:40:57 +0200
Subject: [PATCH] Force logout in any other sessions when a user changes their
 password

---
 src/Auth.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Auth.php b/src/Auth.php
index 5c8ba2f..0720eba 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -765,9 +765,12 @@ final class Auth extends UserManager {
 	public function changePasswordWithoutOldPassword($newPassword) {
 		if ($this->isLoggedIn()) {
 			$newPassword = self::validatePassword($newPassword);
-			$userId = $this->getUserId();
-			$this->updatePasswordInternal($userId, $newPassword);
-			$this->deleteRememberDirectiveForUserById($userId);
+			$this->updatePasswordInternal($this->getUserId(), $newPassword);
+
+			try {
+				$this->logOutEverywhereElse();
+			}
+			catch (NotLoggedInException $ignored) {}
 		}
 		else {
 			throw new NotLoggedInException();