Best practice to change password while user is already logged in
What is the best practice for changing passwords while the user is already logged in? In my application to change the password, the user who is already logged in has to pass the current password and a new password. There is no email confirmation neccesary.
Tester suggested that password change should be done only by sending an email with a link to change password, is it really necessary? I did not find this recommendation in OWASP Cheat Sheet or ASVS. I agree that second-factor confirmation is always a more secure solution like using SMS code verification/email code verification, but is it a standard solution or just an additional security feature?
No, it's not necessary per se. Many sites do it the way you are implementing, although there's no harm in doing it the suggested way either.
However, it is at least a good idea to send an email confirmation when actions like a password change are performed.