But in a well written session module, the identifying value is sufficiently random and from a sufficiently large pool, that they would have to try for a very, very long time before they hit another valid session.

If you give your sessions consecutive identifying values, then of course you are just asking for trouble...