Forgot Password behavior question...
Imagine a scenario where a user clicks the forgot password link. Let's say they put someone else's valid email address in the email address field. Think of a kid that's a prankster that can see email addresses of members of a site or just knows a valid email address based on correspondence with a buddy.
Am I correct in understanding the way SA handles the process when someone interacts with the forgot password page is to generate a random password, then encrypt it and store it in the database using the password atrribute for the email address that was entered, and then mail the randomly generated password to the email address that was entered (using a temporary session variable if I remember the tutorial correctly)?
Imagine you are the recipient of the email that is sent showing you the new randomly generated password. If you disregard it because you didn't request a new password, how will you ever get back into the site given that the password was changed by SA?
If you can't login using what you thought was your existing password, does this mean that someone can get any member's email address (or any number of them) and trigger password resets for each of them even though the owner never requested this?