So how does a developer prevent such an insecurity? I usually thought a "log in" or a "sign in" on a site was just php session variables stored on the server. But now I realize that there must be more to a log in. If there is not more to it, then I could crack into peoples accounts on all the sites out there.
I'm so very confused on how logins are handled. :S
Thanks for reading. I appreciate any help with my confusion.
EDIT:
Actually I just realized that 64^32 (which is the number of possible session IDs) is over 6 octodecillion (6,277,101,740,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000). Even if there were 9 billion people logged on all at ones that would mean a cracker would have to go through at least 1 quindecillion (1 with 48 zeros following). I guess it's very unrealistic to think that you can just simple loop through all of these possible values an finally strike gold.
But I noticed that sessions on the server don't die right away. Shut down there browser, but how long does the session remain on the server? Over time ever use would have multiple sessions on the server not being used anymore.
Some please reassure me with some common sense.