Let's assume this situation: I am a user of an online shop, I forgot my password. So I use the functionality of this online shop to reset my password. The online shop sends me an email with a link I should visit to change my password. I changed my password, but did not delete this email.
Now, a day later (after this passwod reset) I saw this email again and clicked again on it and I can change my password again. From a security perspective: How would you value this situation?
If you can do that, it means that the developers didn't use a token to only make valid that link for a certain time.
The right solution is to use tokens that will expire either after the password has been reset or after 10-15 mins.
This situation has a security risk in it as if any other person can get hold of this link he can change your password and use your account in not a desirable way.
But in general cases such password reset links come with a token attached to it which has an expiry. Using this mechanism the link becomes unusable after a certain time period. Generally the time limit for the token to expire ranges minutes to days, which is at the sole discretion of the website/portal owners.
The reset mail that you have received might have specified of the time the link will be active.
Hope this clarifies.
That's not good because anyone with that link (note: the token is the most important) can make changes to your password for an unlimited time.
Solution 1: Invalidate the token once the password has been successfully reset.
Solution 2: Make the token expire after some time. Real-world examples often range from 10 minutes to 3 hours.
I'd recommend implementing both of the above.
