I know there are similar posts here, but this is a specific question I'd like an answer to.

Why, after multiple password changes, is a browser session still valid ? Surely this should be immediately invalidated. My wife was able to view and send emails from my account from an old session on her phone browser after my account's password was changed (not by me), multiple times. When I could recover it, I changed the password again. Still active.

I have set the session time to be 5 minutes which logged the other session.