"Forgor password" functionality does not mean sending old plain text password to the user. Not at all. Actually this is the most vulnerable point in an application, since you have no control over what's happening. Generating one-time-password and sending that one to the user and forcing the user to change it is common approach, although not more secure than sending the old password. Why? Because there is only one channel and one component is involved.
If you want to identify somebody, you have three components to use, you can ask three kind of "questions".
You can be identified using these components:
1) what you have - a hard or soft token, smart card, a phone
2) what you know - a password, an answer to a question
3) what you are - biometrical data
For a general web application it is hard to implement the third component. Still, you have two left. You should use these two.
Still, most pages use only the second component, but at least they are using at least two different aspects of it, like passwords and secret questions. If your application is not that critical, you can do the same.
This is a good starting point:
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet[
^], and some more thoughts here:
http://www.securabit.com/wp-content/uploads/2010/08/self-service-password-reset_v5-1.pdf[
^]