A session stores information (in variables) to be used across multiple pages when a user logs in to this online account. Unlike cookies, this information is not stored on the user’s computer. Typically maintained by the server, and created on the first request or after an authentication process. The session-id is exchanged between a web browser and the server on every request.
Session ID or session token is a piece of data that is used in network communications to identify a session. It is used to determine a user that has logged into a website, these IDS or tokens can be used by an attacker to hijack the session and obtain potential privileges. A session ID is usually a randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search.
Cookies are strings of data that a web server sends to the browser. When a browser requests an object from the same domain in the future, the browser will send the same string of dates back to the origin server. The data sent from the web server in the form of an HTTP header called “Set-Cookie”. The browser sends the cookie back to the server in an HTTP header called “Cookie”.
The primary purpose of a cookie is to create customized web pages based on user identities.
Attackers can sniff all the traffic from the established TCP session and perform identity theft, information theft, fraud, etc. The attacker steals a valid session ID and uses it to authenticate himself with the server.
Session Hijacking refers to stealing this session-Id and using it to impersonate and access data over a valid TCP communication session between two computers. Application-level hijacking is about gaining control over the HTTP user session by obtaining the session IDs.