From f83e94c057cd32fffbcffd8e03c48fbd1b376743 Mon Sep 17 00:00:00 2001
From: Neil Drumm <drumm@3064.no-reply.drupal.org>
Date: Tue, 24 Apr 2007 08:04:30 +0000
Subject: [PATCH]  - Patch #138531 by bjaspan: destroy existing sessions when a
 user password is changed.  Backport from HEAD.

---
 modules/user/user.module | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/user/user.module b/modules/user/user.module
index 1061ca2b2d7c..9668be85ecb0 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -154,6 +154,13 @@ function user_save($account, $array = array(), $category = 'account') {
       sess_destroy_uid($account->uid);
     }
 
+    // If the password changed, delete all open sessions and recreate
+    // the current one.
+    if (isset($array['pass'])) {
+      sess_destroy_uid($account->uid);
+      sess_regenerate();
+    }
+
     // Refresh user object
     $user = user_load(array('uid' => $account->uid));
     user_module_invoke('after_update', $array, $user, $category);