An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.
To prevent this type of attack
- Set the “HttpOnly” attribute for session cookies
- Generate random session IDs with secure randomness and sufficient length
- Do not leak session IDs