Let's imagine an attacker get access to your account.
Once you get back your account you change the password.
Unfortunatly the attacker used a cookie for automated login.
Now he can still use the auto-login to abuse your account, although he does not have the new password.
Of course a user could manually delete the auto login keys and an admin can manually delete all sessions, but I think we should do that automatically when the password is changed.