diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 17f9763777c..36be2b16c1c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -409,6 +409,7 @@ class UsersController < ApplicationController
         @user.auth_token = nil
         if @user.save
           Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
+          session["password-#{params[:token]}"] = nil
           logon_after_password_reset
         end
       end
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 8f9bb6ff1b4..d5f259cdaf7 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -251,6 +251,7 @@ describe UsersController do
         user.reload
         expect(user.auth_token).to_not eq old_token
         expect(user.auth_token.length).to eq 32
+        expect(session["password-#{token}"]).to be_blank
       end
 
       it "doesn't invalidate the token when loading the page" do