Invalidate session after password reset - hosted website

Hey team, The Hosted Website doesn't invalidate session after the password is reset. It's one of the OWASP recommendations to terminate the session when a password is changed and force the user to re-login. ### Quote from OWASP: `Renew the Session ID After Any Privilege Level Change` `The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session.. Other common scenarios must also be considered, such as password changes` **Source:** https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change ### Steps to reproduce: - Logon to https://hosted.weblate.org/accounts/reset/ - Request for password reset. - Click the email link received - Change the password and notice session is not reset. ### Suggested Fix: When the password is reset, force logout the user and redirect to login page with a message. Some hackerone examples: https://hackerone.com/reports/15785 https://hackerone.com/reports/15852