GET /api/profile with old pre-reset session cookie
Result:
HTTP/1.1 200 OK

Response body showed authenticated victim1 profile after password reset had already completed.
