Good one, quick question! Say you are person A and uses persons B email address, won't the reset email verification be sent to their email address, which you have zero access to. So how is it possible to obtain their session session.id?

Was the website susceptible to a host header injection too?