A Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. As HTTP communication uses many different TCP connections, the web server needs a method to recognize the connections of every user. The most common method uses a token that the web server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width, and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. The session token could be compromised in different ways; the most common are Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc) and Man-in-the-middle attack.
See also: Cross-site scripting (XSS)