Using srand(time()) to generate a token for a password reset (or for a CSRF token) is bad because the token can be predictable.
I read these:
But I don't understand how the token can be predictable. I understand that if in one second I reset my password many times I get the same token. I have the following code:
<?php
srand(time());
$reset_password_token = rand(444444444444,999999999999);
?>
If I reset my password many times in one seconds, I know I get the same token but how can an attacker exploit this?
It limits the scope of their brute force. For instance they only need to attempt only 60 passwords if they know someone did a reset within the last minute.
But it's worse than that. The attacker can get into any account they want by initiating a password reset for that account. After this, they generate a few tokens by repeatedly calling srand with the unix timestamp for the some small window of time around the reset, incrementing each time. One of those tokens must match unless your clock is way off.