The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key or Id - to attain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of the magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.
Many web sites allow users to create and manage their own accounts, logging in using a username and password (which may or may not be encrypted during transit) or other authentication method. In order that the user does not have to re-enter their username and password on every page to maintain their session, many web sites use session cookies: a token of information issued by the server and returned by the user's web browser to confirm its identity. If an attacker is able to steal this cookie, they can make requests themselves as if they were the genuine user, gaining access to privileged information or changing data. If this cookie is a persistent cookie, then the impersonation can continue for a considerable period of time. Of course, session hijacking is not limited to the web; any protocol in which state is maintained using a key passed between two parties is vulnerable, especially if it's not encrypted. Thanks Wiki!!
This document is in PDF format. To view it click here.