A couple of other points for implementors:
a) For browsers without even an expired session, obviously the user would first have to type in an e-mail address (of a registered user).
b) To reduce phishing, the e-mail should contain something (a private name say) that only the genuine site would know about the user.
c) The e-mailed login-URL should work only once and have a short expiry time, e.g. 15mins.
d) Change of e-mail address may require password as well as veto e-mail to old address, and validation e-mail to new address.