On password recovery, what to do if device is already logged in?
Say a user requests a password recovery on a computer. Our system then sends an email with a unique link to recover the account.
However now consider the user receives this email and opens it on his mobile phone (or any other device). He clicks the link, however on this device he is already logged in as another account.
So the naive implementation is that the user gets a password recovery while already logged in. Potentially to another account. This feels awkward an unintuitive: but I can't really decide on the correct course of action, I see several options and wonder what follow the principle of least astonishment:
- Should the current behavior be kept, and allowing a logged in user to change the password for another user.
- Should the current session be invalidated/user logged out upon opening the password recovery link?
- Should the link just "not work" (forbidden error?) when trying to open on a device where already logged in?
And would this behaviour change if the request is for the "same" user? (IE on the other device he's already logged in on the user one does a password request for)?