When a user logs in via the Login form, set a session cookie flag that the user is fully authenticated. Conversely, when a user comes in via a remember me cookie, the flag won't be set again.
In the following scenarios, if the user is not fully authenticated:
Marking as wont fix/duplicate since I think we should always "Require old password when changing password or email" even if the user just logged in.
Use case: For example, user logs in, leaves computer, attacker changes password 2 minutes later, we should require the old password even if the authenticate cookie would be found.