is that really an account takeover? how would you get the cookies to paste in the response. also, by decrypting the session cookie which is actually a JWT i don't think its possible to create any random JWT and use it as session cookie. if you don't mind i would like to know the response of the triaggers. please correct me where i am wrong, thanks.