I know what you’re saying, but I think you’re implying an association between the “remember me” function and the “password change” function which in practice, isn’t there. The auth token you get when authenticating is not generally tied to the value of the password (i.e. when using the membership provider), after all, you’re logically keeping the identity authenticated across sessions and in this regard, it works just fine.

To be honest, this sounds like more of a user behaviour problem than a technology problem. In your use case, someone is consciously asking the browser to allow them to remain authenticated for a long period of time and doing so on a machine which they have no control over. Of course I’m assuming you have a “remember me” checkbox and if you don’t, there’s your answer right there.

The other thing you might want to look at is what OWASP talks about in part 3 of the Top 10 – Broken authentication and session management. This link will put it in a .NET context for you but in short, it talks a lot about reducing the opportunity for exactly what you’re describing to happen by things like eager session expiration, disabling sliding sessions and obviously giving end users the control to expire the token at session expiration and log out at any time.