In a web application, if the user forgets his password, its fairly common practice to send an email to the user with a temporary link or password that expires after a given amount of time. Most of the posts I read on SO suggested expiring the link after 24 to 72 hours, but it seems to me that it would really only be needed for about 10 minutes. My question is, to improve security is there a good reason to allow such a link to remain active for longer than 10 minutes?
You are assuming too much about your users. It is not uncommon for a user to request a password reset on the spur of the moment, but not check their email for several hours. For instance, they might be at work when they realise they can't log in to the service, but the email goes to their personal inbox, which they don't read till they get home. They will often do the request for a reset on the spot because they don't want to have to remember to request it later.
Often times there are several minute delays in sending emails. So ten minutes is cutting it a little too close.
If you are using a decent-sized randomly generated hash in the link, I don't think something like 24 hours is unreasonable. It's unguessable and the only vulnerability would come from the person's email account being hijacked.
First question is - How critical is security? What the worst that can happen if security is breached? (Will money be lost, or will someone be able to post a message on a forum under someone else name?)
24 hours max, in my opinion. I personally always locate the email immediately, but as others have mentioned, there can be unexpected delays. If a user is expecting an immediate response but has to step out before the email arrives, they may not be able to get to it immediately.
I think 12 hours is a good medium. If you make it very short, expect to see users request the reset multiple times within a day or two.
Peter, a good way to go about this is having a sensible timeout of 24 hours. This is incase for example the recipient's inbox is hacked 1 week after requesting the password and the intruder has the ability to change the password. 24 hours is sensible.