SECURITY: prevent reuse of password reset

app/controllers/application_controller.rb

@@ -9,6 +9,7 @@ require_dependency 'json_error'
 require_dependency 'letter_avatar'
 require_dependency 'distributed_cache'
 require_dependency 'global_path'
+require_dependency 'secure_session'
 
 class ApplicationController < ActionController::Base
   include CurrentUser
@@ -381,6 +382,11 @@ class ApplicationController < ActionController::Base
     end
   end
 
+
+  def secure_session
+    SecureSession.new(session["secure_session_id"] ||= SecureRandom.hex)
+  end
+
   private
 
     def locale_from_header
@@ -558,6 +564,7 @@ class ApplicationController < ActionController::Base
       render_to_string status: status, layout: layout, formats: [:html], template: '/exceptions/not_found'
     end
 
+
   protected
 
     def render_post_json(post, add_raw=true)