[usermanagement] resetPassword is httpsession-dependant

[vankeisb]

The process :

1. user hits /resetPassword, enters his email address and submits
2. user receives an email with a link (with a token inside)
3. user opens this link, this resets his password and shows the new one

Problem is that 1. sets a session attribute and 3. needs it. So the whole process can fail if 1. and 3. are not performed in the same http session !

We need a more robust approach.