When users type in the wrong password too many times on the command line, they have to re-enable their account by going to the website and logging in with a captcha. Unfortunately, if they're already logged in on the Stash web site, they need to log out first.

Instead, when captcha is triggered, invalidate any web sessions for the user and remove any RememberMe tokens. This will force the user to log in the next time they interact with the web.