Thanks! But the user shouldn’t be logged in for an in process request only, but the complete session should be authenticated/logged in if a valid url is used, see the link for more details
The docs explain how to impersonate a user, i.e. authenticates as a user without their password. It’s not just for the duration of the in process request.