If password changed while user logged in

[mshannaq]

Hello

if secert2 is changed while user is logged it , does that mean shield must ask the user to relogging?

IF I create a separate controller and model to change user secret2

for example:
Model:

namespace App\Models;

use CodeIgniter\Model;

class AccountModel extends Model
{
    protected $DBGroup          = 'default';
    protected $table            = 'auth_identities ';
    protected $primaryKey       = 'id';   
    protected $returnType       = 'array';
    protected $useSoftDeletes   = false;
    protected $protectFields    = true;


    // Dates
    protected $useTimestamps = false;
    protected $createdField  = 'created_at';
    protected $updatedField  = 'updated_at';


    // Define the fields that can be updated
    protected $allowedFields = ['secret', 'secret2'];

    // Update user data by ID
    public function updatePassword($userId, $data)
    {
        // Ensure that the ID exists before attempting an update
        if ($this->where('user_id', $userId)->countAllResults() === 1) {
            $this->set($data)
                ->where('user_id', $userId)
                ->update();
            return true; // Update successful
        }
        return false; // User ID not found
    }

}

Controller: (just a sample)

class Account extends BaseController
{
 
    /**
     * @return void
     */
    public function changepwd()
    {




        $this->accountModel = new AccountModel();
        $newPassword = "newtestpassword";
        $passwords = new Passwords(config('Auth'));

        $data = [
            'secret2' => $passwords->hash($newPassword),
        ];



        // Call the updateUser method in the model
        if ($this->accountModel->updatePassword(user_id(), $data)) {
            // Update successful
            echo "update ok";
        } else {
            // User not found
            echo "update error .. user not found";
        }


  }


}

this will successfully change the password for user_id().

but what happened If the user already logged in?

Isn't it logical to request login from the user again?

or there is another method to do change password (secret2) for a user?

the answer is no? and that is ok

but what If he have remember token me?

[datamweb]

If you want to create a page to change the password, you can see number #639. And be inspired by it.

[mshannaq]

wow , #639 it is very ince

[kenjis]

this will successfully change the password for user_id().
but what happened If the user already logged in?
Isn't it logical to request login from the user again?

I'm not sure, but if you think so, you should implement like that.
After changing the password, remove the remeber-me token and log the user out.