(PENDING)Worrying password behaviour.

I have noticed that some topics are being shown as visited, despite me not visiting them.

This prompted me to change my (Pistonheads) password, just in case my account had been compromised.

However what has caused me some concern, is that I changed my (PH) password while logged in to my laptop and this morning I went to my PC (already still logged in to PH with the old password) and I was still granted access.

I expected any attempts to access my Pistonheads account on the PC (logged in with the old password remember) to deny me access.

But clearly, the old password has not been invalidated on changing it.

This is a not very secure!!!

Was it for viewing only?

I'm sure when I changed my password many months ago it let me in on another computer where I'd chosen to stay logged in, however as soon as I tried to do anything other than view threads I had to log in with my new password.

Yes I realise this - however with PHPBB etc. as soon as you change your password it is invalidated across devices immediately.

I guess that with phpbb, the password is stored locally, rather than a simple cookie (or some other method is used to validate it).

I would also like to add that upon changing my PH password on my laptop, I wasn't prompted to login again - my session just continued as if nothing had changed.

I had expected my login to expire immediately and then be forced to login with the new password, but I wasn't.

I'm using Windows 8.1 and Chrome on both laptop and PC btw.