
Except one: if a user forgets their password, after they enter their e-mail, the browser redirects straight to the index page. In this case the user has no feedback about whether their password recovery procedure worked (or how it's supposed to work).
Of course, sooner or later they'll notice the password recovery e-mail in their inbox, but the user experience could be better here.
My proposal is to add a parameter to the redirect() function, called "force", which would be set to true when the function is called from actions such as do_lostpw:
redirect('index.php', $lang->redirect_lostpwsent, '', true);
There may be other use cases for this feature. Patch attached.