I'm writing a password reset page.
so now I don't know which user to update in the db
My options (that I can think of):
Your solution in option 2 (add token to a hidden input) makes sense or you could just post the form to the same URL (the one with the token in it so you don't lose it) and structure your logic to work based on whether or not the form was posted.
The logic could look like this:
I would do this:
By this way only the user with the session id that requested password reset can change his password