I first tried the the following in my moodle 3.5.1 installed on my server and than tried it at moodle's sandbox to make sure it's not something wrong with my sever (video bellow):
I opened two browsers: at the firefox browser I logged in as an admin, in the chrome browser I logged in as a student.
than I copied the content of the "MoodleSession" cookie ("MoodleSession" stores the session id, right?) from where I was logged in as an admin, and pasted it as new content of the "MoodleSession" cookie in the browser in which I was logged in as a student.
at this point I was logged in as an admin - in the browser I logged as a student, just by knowing the session id.
video of this here: https://streamable.com/qm4s0w
on my moodle, I even tried to change the IP of the users in the "sessions" table ("firstip" and "lastip"), so that each of these users will have a different IP and still I was able to get be identified as "admin" even though I never entered the admin details and just pasted the cookie's content.
now I know it's easy because I'm an admin and already know the session id, but my question is this:
does this mean a user can steal another user's session by stealing it's session cookie? isn't that dangerous? are there any security measures I can do to prevent it?