I don't think it was malicious activity ivica.
But someone else who has your active PHPSESSID and the domain, may be able to get into your session (being you) while it is still active if there are no other safeguards. I am no expert in this. My programming days were more than a decade ago.
The wiki info explains a bit what the meaning is of the Session_id (PHPSESSID in PHP script).
Nice that you have solved it with Steven's advice.
FYI
I have all cookies on but they are all deleted when I close my browser (firefox on gnu/linux gnome2).
It is the safest way imo. The drawback is having to login with your credentials everytime you start the browser, and clicking away all the cookie warnings. It is tedious but becomes routine quickly. I have the login passwords encrypted in .7z files so I don't have to remember the password, just a much easier one because there is no way to get to that password file via Internet in normal circumstances. My computer needs to be broken in to for that to happen.