Recently I was involved with a security audit on a PHP based site, after i'd finished looking for XSS and SQL injection vulnerabilities I turned my attention to more subtle attack vectors.

One thing that caught my attention was the use of uniqid in the password reset process, this function should NEVER be used for this kind of thing...