My process is as follows.
1. User initiates a forgotten password request
The user clicks a forgotten password link and then redirected to a reset password form where they are asked to enter their registered email address.
2. Email address verified and token generated
After the user has entered their email address, the system verifies that it exists in the database. If the email address is valid then a token is generated and stored in the database with the users credentials.
3. Send recovery email
An email is sent to the registered email address containing a link to a reset form, the link includes 2 GET parameters including the token and the users unique ID stored in the database.
4. Reset password
After the user clicks the link they are taken to the reset form. The system retrieves the 2 GET parameters from the URL and verifies they exist in the database. If the token is verified to exist in the database with the user then the user may be shown the reset password form fields to enter a new password.
Security
I suggest using BCrypt (available since PHP 5.3) to hash the passwords and for additional security, perhaps use some sort of expiration for the token so it can't be used after a period of time.