Also I didnt do it cause I'm a nice guy, but essentially what I could do is anyone who visited my forum post, I could exfiltrate their PHPSESSID and login as them.
I havent black box tested how you're handling session management, and how long expiry is. If I remember right, it never expires at all. or how long it takes for your webapp to rotate the session.
But anyway figured I'd let y'all know. Some dick could potentially grab your admin cookie and start deleting your shit. :)