Uses Django's built-in PasswordChangeForm and update_session_auth_hash
so the session stays valid after the change. Form is hidden in a
<details> element and opens automatically on validation errors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>