forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.
That all sounds good. I assume that once someone logs in successfully via SSL, you send them a cookie, and they continue using that over an unsecured connection? In that case, the cookie essentially becomes the user's password. Do you have a good solution for preventing the bad guys from capturing and reusing that cookie?