CGI::Session->find( \&purge );
sub purge {
  my ($session) = @_;
  next if $session->is_empty;    # <-- already expired?!
  if ( ($session->param('user_id') eq $bad_user_id) ) {
    $session->delete();
    $session->flush(); 
  }
}

# now change password associated with $bad_user_id...