[tvelichkov]

If you steal someones else password-reset link, change the password, then at the end of the day, won't you end up with a password, but missing email/username in order to log in? I mean the reset password link shouldn't reveal any other credentials about the account. (I know at some sites after reseting a password you may end up automatically logged in, but i think this is a bad practice).

[derekprior]

Depends on how the reset behaves. Some resets log you in immediately after providing a new password. Some require you to log in after resetting the password.

I feel like I've seen more of the former than the latter.

[nchelluri]

I don't think it's so simple.

Before generating the PW reset link, someone might try to login first. So they'd enter bob@example.com into the login form and then when that failed, it's not uncommon to redirect with error-msg-in-session to /login?email=bob@example.com . So you'd leak the email first.

[milankragujevic]

Given how many (more than 90% imo) reset links are something like /reset?email=test@test.com&token=0123456789, that's not quite an issue as it may seem...