It sounds like you have checked a 'remember me' and a permanent cookie was set. I am also guessing that the code will have to match the email address in the cookie, so changing it would fail that check. Unless you can guess another email address and their associated code, and that user has actually also used a remember me.
I would be very surprised if Ion Auth had a hole in it that gaping. I tend to use my own library for auth now but when I do not I use Ion Auth every time. It is so simple and quick to implement and is very well written.
Best wishes,
Paul.