We're setting up a feature to enable users to reset their password when they can't get access ot their account. We ask for their email address (which they use for logging into the site), send them an email with a unique link.
The questions are:
- Should the link expire on first-click or should the link expire on first-use (ie, they reset their password successfully)?
- Should the link have 24 hour validity (or something similar)?
- Should the user be logged in after he clicks that link?