Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.126.2.43 -r1.126.2.44
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	26 Dec 2020 15:32:38 -0000	1.126.2.43
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	12 Jan 2021 17:36:24 -0000	1.126.2.44
@@ -191,8 +191,17 @@
 
         if {$session_user_id > 0} {
             try {
-                sec_login_read_cookie
+                set login_cookie [sec_login_read_cookie]
+                set auth_token [lindex $login_cookie 2]
 
+                #
+                # Verify currently stored user authentication token
+                # against the one on the login cookie.
+                #
+                if {$auth_token ne [sec_get_user_auth_token $session_user_id]} {
+                    throw {AD_EXCEPTION USER_AUTH_TOKEN_INVALID} "User authentication token is invalid."
+                }
+
             } trap {AD_EXCEPTION NO_COOKIE} {errorMsg} {
                 #
                 # No login cookie.
@@ -205,9 +214,20 @@
                 #
                 ns_log notice "=== invalid login_cookie"
 
-            } on ok {login_list} {
+            } trap {AD_EXCEPTION USER_AUTH_TOKEN_INVALID} {errorMsg} {
+                #
+                # Invalid user auth token in the login cookie. This
+                # happens e.g. when user changed their password, hence
+                # all logins on different devices must be
+                # invalidated. Make sure to log the current user out
+                # and update session cookie and ad_conn information.
+                #
+                ad_user_logout
+                sec_login_handler
+
+            } on ok {} {
                 set login_cookie_exists_p 1
-                set persistent_login_p [lindex $login_list end]
+                set persistent_login_p [lindex $login_cookie end]
             }
         }
 
@@ -319,18 +339,7 @@
         ::security::log timeout "SessionRefresh in [expr {($session_expr - [sec_session_renew]) - [ns_time]}] secs"
 
         if {  $session_expr - [sec_session_renew] < [ns_time] } {
-
-            # # LARS: We abandoned the use of sec_login_handler here. This lets people stay logged-in forever
-            # # if only they keep requesting pages frequently enough, but the alternative was that
-            # # the situation where LoginTimeout = 0 (infinite) and the user unchecks the "Remember me" checkbox
-            # # would cause users' sessions to expire as soon as the session needed to be renewed
             sec_generate_session_id_cookie
-
-            # apisano 2018-06-08: as discussed in
-            # https://openacs.org/forums/message-view?message_id=1691183#msg_1691183,
-            # this would break sec_change_user_auth_token as a mean to
-            # invalidate user login...
-            #sec_login_handler
         }
     }
     #