Maybe it would be best to notify users to copy their passwords first.. or some other note.
It's up only to the forum owner :) The script will include dynamic suggestions of an immediate password change, if a user logs in with the old password. So for some time, the logging with the old password will work — but won't pass the user further unless the password is updated.
As I see, the bb_func_login.php can be extended to add the session_start() / session_unset() functions and should be simple to change, I hope.
I'm still considering if either we should use PHP sessions, or my own.
The sad fact about PHP sessions is that they are kept until the browser is opened. As soon as you leave the browser, the session is destroyed, and you should re-login. For many years I was keeping the old auth mechanism in miniBB exactly because of its long-term nature — the login is kept for some longer time, and even if you re-open the browser, it could be still kept if there was no log-out.
With PHP sessions, this approach won't work... and this eliminates the comfort of usability.