Wow...
... That is just such a schoolboy error. I know let's do a password reset...
Ok, we need a unique code that is sent to the account holders email address and that is all, we must store the code securely on our servers, the code should be a one shot affair and time out.
So send the code to the client browser too? No no no, just to the account holders email address otherwise it defeats the fricken point!