After a user resets their password, what is the general process as far as tokens and token expiration goes security-wise? Do I set token to empty and the token expiration to now() , set null to empty, etc.?