A couple of other points for implementors:

a) For browsers without even an expired session, obviously the user would first have to type in an e-mail address (of a registered user).

b) To reduce phishing, the e-mail should contain something (a private name say) that only the genuine site would know about the user.

c) The e-mailed login-URL should work only once and have a short expiry time, e.g. 15mins.

d) Change of e-mail address may require password as well as veto e-mail to old address, and validation e-mail to new address.