The new password wasn't being stored in the session, so it was lost when $GLOBALS['phpgw']['user'] was recreated from session info through class.session.verify.

This prevented user passwords to be changed more than once per session. I'm sure this caused other bugs I'm not aware of...

preferences/changepassword.php

@@ -78,7 +78,7 @@
 		}
 		else
 		{
-			$GLOBALS['phpgw_info']['user']['passwd'] = $passwd_changed;
+			$GLOBALS['phpgw']->session->appsession('password','phpgwapi',base64_encode($n_passwd));
 			$GLOBALS['hook_values']['account_id'] = $GLOBALS['phpgw_info']['user']['account_id'];
 			$GLOBALS['hook_values']['old_passwd'] = $o_passwd;
 			$GLOBALS['hook_values']['new_passwd'] = $n_passwd;