The current behavior noticed on 14.10.16 is that after opening the reset password link once, the second time is not possible, even if the password reset was not actually done with the link.
Also, there are still cases when depending on the settings on the user's side or their email client, the reset password link might be pre-read and so it would burn the only time they would be able to use the link.
It would be useful to update the reset password link timeout to a longer value, such as 1h, allowing more time to open the reset password link no matter how many times in that 1 hour after receiving the reset password mail , as long as the password reset is not actually done using that link . |
|