if you use the password reset feature and the subsequent one-time login you get via email, clicking that link won't log you out of an existing session. This sounds exotic but might happen on multi-user machines. It's at least confusing. So, please make sure that link causes a log out before it re-logs you in.
The current behavior is: User A receives a one-time login link. Then goes to a Browser window/sesion where User B is currently logged in. Then User A copy-and-pasts the login link into the browser. The result is that User B is still logged in.
trying the before (after a manual log out of my admin account) the PW reset form asked for my current PW - doesn't make sense Didn't we have that issue before?
We have had this issue before. The problem is that there is no way to reset the password (currently) without entering your current password. This obviously needs to change.
also, please confirm that the one-time login link takes you to the PW reset form right away
It does not. In fact these points could be combined.
Future behavior: The one-time link takes you to a password-reset page, where your current password is not required. Then you reset your password before continuing on your way.
If any user (even the current user) is currently logged in when the one-lime link is activated, it destroys the current user session first, thus log out whomever is currently logged-in. Then the workflow continues as above.