diff --git a/lib/base.php b/lib/base.php
index cac416003e0fedf23e4dcdc085ad457bd619ec85..b02db4d05f5e2d43bcf27f959370a7b4dee118aa 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -552,9 +552,11 @@ class OC{
 				OC_Util::redirectToDefaultPage();
 				// doesn't return
 			}
-			// if you reach this point you are an attacker
-			// we remove all tokens to be save
-			OC_Preferences::deleteApp($_POST['user'], 'login_token');
+			// if you reach this point you have changed your password 
+			// or you are an attacker
+			// we can not delete tokens here because users will reach 
+			// this point multible times after a password change
+			//OC_Preferences::deleteApp($_POST['user'], 'login_token');
 		}
 		OC_User::unsetMagicInCookie();
 		return true;
diff --git a/lib/user.php b/lib/user.php
index be8ddce88bb15347771443bdef59ed015eb8fe54..11373a740147d51a193d1972a2100baf789a0682 100644
--- a/lib/user.php
+++ b/lib/user.php
@@ -329,6 +329,8 @@ class OC_User {
 					}
 				}
 			}
+			// invalidate all login cookies
+			OC_Preferences::deleteApp($uid, 'login_token');
 			OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
 			return $success;
 		}