The not-fully-trusted user paradigm is actually pretty common in websites for changing your password (enter old password, new password, and new password confirmation). The main reason, as I understand it, is to limit the damage made possible by session hijacking.
Session hijacking and the wrong person auto-logging in are actually the same thing on a technical level; the difference is semantics. In both cases, a logged-in user is not the owner of the account.
Session hijacking and the wrong person auto-logging in are actually the same thing on a technical level; the difference is semantics. In both cases, a logged-in user is not the owner of the account.