Sessionn ID Manipulation?????

So today is the last day for Phase 1 for my application penetest. Well, its always funny because its always during the last day that i will find something. In my previous posts, i was saying that the application is very secure. However, i found some session IDs manipulation that allows an attacker to impersonate someone. Well although its not high risk, but think of this situation. Lets say you and your friend is at a school compound or somewhere with network access and suddenly your friend is checking his account. With the mindset of a hacker, you know that by manipulating the session ID will allow you to gain access to his account, while he says that he wants to go to the toilet and forgets to logout, you quickly grab his session id and then change his password. From there on, you can monitor his account's transaction and status and moreover you can transfer money to your own account. I mean there is too many possibility. This is just one of the scenarios. You can let your imagination run wild and can come up with more evil stuff. However i just want to point out that since that application is already so secure, why not take another step to tighten this hole? Agree?????

The Hacka Man