2 Jul 10, 2006 23:20
The best way for this should be to do like PhpBB does: the new password is stored in a "new password" field, then this new pass is mailed to the user with a link with a link containing an activation code to activate that new password for the user. This means if the link is not clicked the password is not changed.
There is an other solution which is to prevent anybody to access the password recovery page, which is a simple htaccess rule.
Please tell which solution you prefer, and I may write a hack to help you ;)