For the check of the session variable on the email password page you could just add in a simple if statement like this:
if(!isset($_SESSION['your var']) || $_SESSION['your var'] != 'the value of this var'){
header("Location: your_verify_page.php");
}
This check will make sure that if the user does not have this session variable set or it does not have the correct value the user will be redirected back to your verify page. You would need to fill in the parts about your session variable name, the value and your verify page.
For the question portion of this you will need to have a table in your db with pre-determined questions stored in it. You will need to add columns to your users table to hold a value for the question and another for the answer, you would need a pair of these columns for each security question you want to store for the user.
To use this you would just query your question table based on the question id value stored in the user table, for the answer you would have the user enter it in a text field.
You would then submit the form and attempt to filter a user recordset based on the answers given, then you can proceed with the rest of it. Please let me know if you have any further questions for any part of this.