MC-31435: PHPSessionId should changed after logout

Author: tsviklinskyi

app/code/Magento/Customer/Model/AccountManagement.php

@@ -720,7 +720,6 @@ public function resetPassword($email, $resetToken, $newPassword)
             $newPassword
         );
         $this->checkPasswordStrength($newPassword);
-        $this->sessionManager->regenerateId();
         //Update secure data
         $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
         $customerSecure->setRpToken(null);
@@ -1047,7 +1046,6 @@ private function changePasswordForCustomer($customer, $currentPassword, $newPass
         $customerEmail = $customer->getEmail();
         $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $newPassword);
         $this->checkPasswordStrength($newPassword);
-        $this->sessionManager->regenerateId();
         $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
         $customerSecure->setRpToken(null);
         $customerSecure->setRpTokenCreatedAt(null);
@@ -1632,6 +1630,7 @@ private function getEmailNotification()
      */
     private function destroyCustomerSessions($customerId)
     {
+        $this->sessionManager->regenerateId();
         $sessionLifetime = $this->scopeConfig->getValue(
             \Magento\Framework\Session\Config::XML_PATH_COOKIE_LIFETIME,
             \Magento\Store\Model\ScopeInterface::SCOPE_STORE