Is it me or is it a bad practice?
What happens if someone knows your email address and requests for you a password reset?
Then your password will change automatically. And what if you are already logged in at the time and you are making a payment or something ? ( I guess) you will be logged out with no reason, the customer will be scared with the security you are providing him.
Am I missing something?
Is there a new version of this at the latest version? I'm using 1.5.2.1.
On the other side, admin password reset is sending an email with a link, that the user must click in order to change his password. This is considered by me a better approach.
Just sain'
Thank you.
