If the client has a session, the client is passing the session hash on each and every call. You have to accept it and check it. Whether it's in a session cookie or manually as a GET param. The server doesn't "know" what session it's receiving a call from; it uses the session cookie sent by the client to check it.
Meaning, those $_SESSION variables in PHP are stored on the server, but the server only knows which session to access based on a key passed with every call from the client. A hacker copying someone's php session id would "trick" PHP into using the target's server side variables.
If you're coming from a reset password email and the user has no active session, a token has to be sent via GET and checked, which means you have to look it up and verify it.
Meaning, those $_SESSION variables in PHP are stored on the server, but the server only knows which session to access based on a key passed with every call from the client. A hacker copying someone's php session id would "trick" PHP into using the target's server side variables.
If you're coming from a reset password email and the user has no active session, a token has to be sent via GET and checked, which means you have to look it up and verify it.