delete all tokens on password change

lib/base.php

@@ -552,9 +552,11 @@ class OC{
 				OC_Util::redirectToDefaultPage();
 				// doesn't return
 			}
-			// if you reach this point you are an attacker
-			// we remove all tokens to be save
-			OC_Preferences::deleteApp($_POST['user'], 'login_token');
+			// if you reach this point you have changed your password 
+			// or you are an attacker
+			// we can not delete tokens here because users will reach 
+			// this point multible times after a password change
+			//OC_Preferences::deleteApp($_POST['user'], 'login_token');
 		}
 		OC_User::unsetMagicInCookie();
 		return true;

lib/user.php

@@ -329,6 +329,8 @@ class OC_User {
 					}
 				}
 			}
+			// invalidate all login cookies
+			OC_Preferences::deleteApp($uid, 'login_token');
 			OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
 			return $success;
 		}