embed timestamp in password reset token, only work for 24 hours

app/controllers/login_controller.rb

@@ -55,13 +55,12 @@ class LoginController < ApplicationController
   def set_new_password
     @title = "Reset Password"
 
-    if params[:token].blank? ||
-    !(@reset_user = User.where(:password_reset_token => params[:token].to_s).first)
-      flash[:error] = "Invalid reset token.  It may have already been " <<
-        "used or you may have copied it incorrectly."
-      return redirect_to forgot_password_url
+    if (m = params[:token].to_s.match(/^(\d+)-/)) &&
+    (Time.now - Time.at(m[1].to_i)) < 24.hours
+      @reset_user = User.where(:password_reset_token => params[:token].to_s).first
     end
 
+    if @reset_user
       if params[:password].present?
         @reset_user.password = params[:password]
         @reset_user.password_confirmation = params[:password_confirmation]
@@ -75,5 +74,10 @@ class LoginController < ApplicationController
           return redirect_to "/"
         end
       end
+    else
+      flash[:error] = "Invalid reset token.  It may have already been " <<
+        "used or you may have copied it incorrectly."
+      return redirect_to forgot_password_url
+    end
   end
 end

app/models/user.rb

@@ -174,7 +174,7 @@ class User < ActiveRecord::Base
   end
 
   def initiate_password_reset_for_ip(ip)
-    self.password_reset_token = Utils.random_str(40)
+    self.password_reset_token = "#{Time.now.to_i}-#{Utils.random_str(30)}"
     self.save!
 
     PasswordReset.password_reset_link(self, ip).deliver