Yeah, so lemme show you a few tools since we’re on the topic of sharing.

1. Find the tool that tickles your fancy here or here.
2. Find a target (for this part I won’t be giving any links).
3. Once you have access to your target, run your file recovery tool (winfr, testdisk, etc).
4. Bring back any and all cookies.
5. Exfiltrate them using twitter, github, email, whatever.
6. Congratulations, you now have access to all the (not yet expired) sessions (i.e. accounts) your target ever used, because they follow(ed) the recommendations in the meme of OP and in your comment.

Please log out from apps and websites!

Depends on your (actually, their, for example if it implies ephemeral server sessions) definition of “incognito”. But if you mean “incognito” as in “private browsing”, it makes no difference (as it has no server side impact whatsoever).

A file is a file, a remote database entry is a remote database entry. You need both gone (and securely deleted, as in srm(1), to be really and irredeemably logged off).

Admittedly, secure deletion doesn’t really matter on the server side, as restoring deleted files require filesystem level access on the server, and if an attacker has that, you’ve got other things to worry about.