"Forgot password" is not the same as "Change password". Normally, in pretty much all systems, there's a way to force password expiry (globally and/or per user), with the system always offering to change the password (and updating "last changed" field in the DB at the same time), as well as prompting the user to change it explicitly, closer to the expiry date and maybe some additional handling for when it has already expired. I think such standard things should be part of the core product, out of the box.