Logging in a user after password reset via link

From a security point of view, whether the "password reset" logs you in automatically or not is rather neutral. Neither behaviour is inherently more secure than the other. I suppose that most sites do what was simplest to implement on the server side.

A point to consider is that security is achieved as long as everybody cooperates; in particular, the principle of least surprise is of paramount importance. That principle, applied to security, means that trouble is afoot when things don't occur as the human user expects it. In this case, the human user may or may not expect to be logged in after a reset. Let's see what happens if the user is "surprised":

• If the user expected to be logged in, and is not, then he may be somewhat irked by the necessity to enter his password again. However, consequences stop there. Notably, the requirement to have to enter the password a third time will not induce the user to choose a weaker but easier to type password, because, by definition, he was not aware of this third entry when he chose the password.
• If the user did not expect to be logged in after a password reset, and still is logged in, then that user may simply not notice that he is logged in, and remain so. This contradicts the user control of open sessions (the reason why most sites have a prominent "logout" button).

In that sense, a (rather weak) case can be made against logging the user automatically on password reset: security consequences of an unnoticed login can be worse than consequences of an unexpected lack of automatic login.

There's no difference. If a hacker got to the link, then he can anyway reset the password and log in again. It makes no difference to him, he can't further abuse the feature.

The only time it makes sense to do this is if your using some form of multi factor authentication. Of course, in that case, one would expect you to include the multi factor bit in the reset workflow as well.

Anytime you are writing code you have to think to your self, "How can an attacker abuse this functionality?" Not having this internal dialog is very dangerous as the programmer will probably expose dangerous functionality. Not fully understanding the attacker's perspective will lead to looking at vulnerabilities that could never exist.

So in this case:

How could an attacker possibility benefit from automatically logging in after they have reset the password of a victims account. In this case clearly the damage is already done, and automatically logging in a user is the least of your concern.