diff --git a/tresetter.py b/tresetter.py
index a728132..a8951e8 100644
--- a/tresetter.py
+++ b/tresetter.py
@@ -245,6 +245,7 @@ async def change(req: ChangeData, session_id: str = Cookie(None)) -> SuccessData
     hashed = session["proposed_password_hash"]
     if not kdf_verify(hashed, req.password):
         raise HTTPException(status_code=409)
+    delete_session(session_id)
 
     success = change_password(session["username"], req.password)
     return SuccessData(success=success)