When the user drops the password and set a new password, all old sessions continue to work.
If the account is hacked, the hacker will save access to the account even after the password is reset.
To the password changing there is no sense...
OwlGreen there is a plan to add an option to end all sessions to the password reset feature. It's part of the session management UI feature that is currently being reviewed on GitHub. The same feature also adds a button to review and end all other sessions from the settings page.
If you want to end all active sessions in Flarum versions up to 1.6, you can just logout. It will actually terminate all active sessions. This will probably be changed once we have the dedicated button to end all active sessions.