GET /api/profile with second parallel session cookie after password change
Result:
HTTP/1.1 200 OK

Response body showed authenticated victim1 profile after password was changed in another active session.
