As per specification we need to allow create session returning 201 and use that session only to change password.
When a client accesses the service by using credentials from a ManagerAccount resource that has a
PasswordChangeRequired value of true, the service shall allow:
• A session login and include a @message.ExtendedInfo object in the response containing the
PasswordChangeRequired message from the Base Message Registry. This indicates to the
client that their session is restricted to performing only the password change operation before
access is granted.
Based on above point, we can allow created session to change password alone and after changing password, old session needs to be invalidated(deleted) since session was created using default password. Created session can only use to change password and it will become invalid after changing password Please confirm about this scenario of deleting session after changing password and if any details available in specification, please point to that section
There is nothing today that requires the session to be terminated upon password change. It's entirely up to the service's session policy on whether or not a session is terminated in conditions like this. Some implementations may choose to keep the session active, but some security folks may consider this a flaw.