As we are discussing about a similar feature, I investigated about why sec_change_user_auth_token seems to be uneffective. Commit
http://cvs.openacs.org/changelog/OpenACS?cs=MAIN%3Aantoniop%3A20180608133913
should fix the issue, but please feel free to review the change, as Lars's comment states the possibility of side effects.
All the best