I am new to web dev and trying to implement a password reset feature according to the OWASP cheatsheets: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
The cheat sheet advises not to send the username as a parameter when the form is submitted and sent to the server. Instead one should store it in the server side session. However, I am not sure how I should do that, since for me to be able to store the username in such a way the user needs to enter his/her username and send it to the server at some point, right? Why not send it together with the form where the user answers security questions? Or am I just understanding this the wrong way?
Thank you in advance! Best regards, Samuel