I'm just testing the lost password feature on a site I currently have in development. So I visit the page (http://new.sworcs.ac.uk/Security/lostpassword), enter my email address, and within a few minutes I recieve an email with a reset password link in it.
So far so good..
The problem is, once I hit the reset password link in the email, I'm taken to a form which not only asks me for my new password, but also asks me for my old one as well.
This would be fine if I knew what my old password was, but seeing as I started this process by using the lost password form, this doesn't make any sense.
... I've got a two browser set-up on my machine, and I had visited the lost password form using a browser on which I was not logged into the site - but upon getting the reset link, I viewed it on a browser in which I WAS logged in - which I'm guessing is why I got the current password field.
I've since used the reset link on the other browser, and got what I expected.