If typical web-server determines user by Session-ID (that stored in cookies) - what prevents me from Session-ID substitution from another confidant User, such that i can do things like an Authenticated / Authorized user ? Are there any other mechanism to determine truly session ?
The Session ID is usually a secure generated token, that expires after some time.
So yes, if you get a token from a different user, you could impersonate him.
In reality, guessing this token is way harder than even guessing the users password. And you only have a very short time-frame to do so, after which the token expires.