The application exhibits improper session management, allowing sessions to remain valid in scenarios where they must be revoked or refreshed. This weakens authentication, increases account takeover risk, and violates expected security controls.

Steps to Reproduce:

1. Log in as a valid user, capturing the session identifier/token.
2. Perform an action that should invalidate or rotate the session (e.g., logout, password reset, permission change, MFA enrollment).
3. Attempt to reuse the old session/token.
4. Observe that access is still granted or the session remains active.