You said session invalidation failed after password change. Why didn’t sessions get revoked?

After a password change, failing to rotate session identifiers left old sessions valid and exploitable for days. The fix was enforcing forced session rotation on every credential change to prevent compromised sessions from persisting.