I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.

Okay, suppose you have a social networking site called [url]http://www.friends.com[/url]. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.
Code:
http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
Now, (yes another hypothetical) suppose I posted a link on my profile to my external site [url]http://www.mysitezor.com[/url]. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).
Code:
IP - 6*.***.66.***
Hostname - <insert random hostname here>
Refferer - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0
Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?

Just a theory, feedback would be nice.