Session mismatch leading to potential account takeover (local access required)