The response of the reset email sending itself had the session which is appended to the URL. So an attacker could just use that session id and create url