Think roller still uses Simple Hash-Based Token Approach? Instead there
is Persistent Token Approach which uses a persistent_logins table to
manage the tokens. So changing the password, also invalidates other
remember me logins.
I have experimented with the Persistent Token Approach, but there are
alot of extra pesky logins required for some reason or other.
https://docs.spring.io/spring-security/reference/servlet/authentication/rememberme.html
There is a warning on the config also:
# Some folks consider remember-me type functionality to be a security risk
