After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. Logging in with the new password doesn't invalidate the older session either: I could browse my account using two sessions (in two different browser). Steps: Suppose 2 browsers X and Y logged in to your Account using browser X. now go to browser Y . Open website and ask for password Reset Link. go to email and open the password reset link to change the password and login. go back to browser X and do any thing you want . Account is still active .
The challenge is the speed and quality of implementation and a multidimensional strategy.Try UpSecurIT