Exactly that. (Hijack session rather than account: any competently designed system should require re-auth before any action that would allow permanent account takeover).