There are actually three distinct and unrelated(!) issues here:

• Persistence:   This is actually the only thing that “sessions” do. By themselves, sessions know how to retrieve and store a vector of state-information, given a session-ID key, but do not validate the correctness of that key.
• Authentication:   Determining, to your satisfaction, that the user actually is who he claims to be.
• Authorization:   Given that you have determined that the user actually is who he claims to be, what can the user do?

Many web sites make the serious error of confusing “knowledge of a currently-valid (or even just properly formatted...) session-ID” with “being the properly-authenticated legitimate owner of that session-ID.” They also honor valid-looking GET-request URIs without first verifying that the claimed presenter of such a URI is in fact currently logged-in. It is painfully obvious that the owners and designers of such sites never stopped to “talk like a pirate... arrrrr!!!”

They never stopped to consider: “what if the person submitting an HTTP-request to my site was intentionally and willfully attempting to commit a felony?”