Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem.
Menshn emails you a link in the form:
At least they are not emailing plain text passwords again. But, I noticed that the token link can be used both multiple times, and it does not expire.
Requesting a new token to be emailed to you invalidates earlier tokens – however it remains the case that the most recent pwreset token stays valid.
Ooops. Bad Menshn, bad. Back to the naughty corner for you.
At least clear the stored token when the user uses it once (and ensure you don’t accept blank tokens).