I am confused about the PHPSESSID exploit. If I change
The answer depends on the target site's security checks.
If the site assumes that the
PHPSESSID cookie is enough to authorize access, then yes stealing someone's session would be sufficient to impersonate her, without the need to know her password.
Sites often have additional measures though: they might check whether other parameters such as the IP address or the User Agent have changed during the session and if they detect such a change, invalidate the session and deny access.
Sessions typically also have an expiration, so that if you obtain a session cookie, say from a browser that has been left unattended for hours, the site may deny access because it is past expiration. You see this often with banking sites that will show you a popup telling you that your session expired or is about to expire.
Finally, if a user logs out, a good site will destroy the session. Even though you have the
PHPSESSID cookie, when you present it to the server it won't find the matching session because it would have been destroyed.