If you have a “forgot password” feature that sends password reset links via email, then you should be putting auto-login tokens in every single link URL you send to your users via email.
Jeffrey Paul makes a good point. Security shouldn’t be a concern if you are already sending tokens for password resets. Also, if my email is hacked into, I would have much more to worry about than Facebook and Twitter passwords.

Source: sneak.datavibe.net