Allow looking up of old reset password tokens from the version table (if it hasn't been disabled). If the token in the link clicked is no longer valid but exists in version table then either:
1. Display a specific message such as: "Your reset password link has expired because a new one was generated at x:x:x time", or "Your reset password link is no longer valid as you successfully set your password at x:x:x time".
2. If the old token has not expired, allow it to be used to validate the user
Allow users to configure whether this feature is used at all and which of the above two options should be used.
Possible to add restriction of multiple retry cool down timer so that when user resets token for the first time and accidentally trigger the reset token in the next 5 minutes, an error will be displayed instead of issuing new token?
Hi , Could you help to review the changes please?
Thanks . This was reworked and fix available in upcoming 10.12.0 release.