I feel like maybe this should be a realm setting.
Let's say I am a user who lost my smart phone or my laptop. I think to myself -- I should probably go and change my passwords, which I do, expecting that I am now protected. But it is a false sense of security, because the old sessions remain valid until they time out in one way or another. If your users are consumers (which mine are) and not enterprise users, it is a lot to have to educate each of them on the idea that in addition to changing their password they have to go in to the account management application and log out their sessions.