Authentication and Authorization Labs - Exercises

Password Reset Exercise 2 is the duplicate of the exercise 1, and same thing for exercise 4 is the duplicate of exercise 3? The link for the password reset is the exact same? nothing changes?

Always in the Authentication and Authorization labs, the Challenge 1 and 2 aren’t clear. On challenge 1 we’re supposed to find Insecure Direct Object Reference, and on challange 2 ‘Missing Function Level Access Control’.
On chall 1 I can manipulate the voting system by voting with the other users (by cookie manipulation), but I cannot access any ‘unsupposed’ page without a VALID sessionid cookie. On chall 2, I cannot actually do anything?

Can someone explain these exercises please?