I'm working on a new password reset workflow on a website, and i am wondering if there are any best practices on the topic of logging in after a password reset. Once the new password has been entered by the user, should they need to click login and enter their username and new password or be automatically logged in? Personally I prefer them to log in after resetting the password so that their browser has a chance to update its saved passwords. Automatic login just seems insecure to me. Are there any other thoughts on the subject?
Basically I'd recommend having one log-in entry point to your application. Although this additional log-in creates a burden on the user.
I'd say the benefits overcome this: