Easy to do?
That was it. If i can get that code on a site where you are authenticated, I can become you.
Any time you let users post text and you don't religiously restrict the content, they can steal sessions. Scarry? If you are a developer it better scare the hell out of you.
So, you might want to start believing every session is stollen. I didn't even try to obfuscate that. Start rolling your sessions id's from one value to another, expire them in short intervals. Track the referrer, user agent, etc. Some of these changes don't add any real security, but they do add layers; and that always helps.
If you are not familiar with the MySpace XSS hack, read up. It's rich on the details.
If you want to view my server side logging script log.php, check it out; it's just a simple python cgi script that dumps the cookies to a text file.