Web sessions are performed differently by each server-side scripting technology, but in common, they begin when the user accesses the website, and they end when the user ends the browser or the session times out. Sessions are used to track user actions, such as a user adding items to their shopping basket—the site keeps track of the items by using the session identifier.
Let’s pretend the website uses e-mail addresses as the identifying data. After the user has logged in, the server will send the browser a cookie holding the user’s e-mail address.
For each page this user will access, the browser will send the cookie containing the user’s e-mail address. The site checks the data in the cookie and enables the user to go where their profile permits.
A hacker could change the data in the cookie, however. Imagine that the cookie contains firstname.lastname@example.org, and each time we access the site we can automatically access restricted areas. If the hacker modifies the e-mail address in his cookie (located on his machine) to be email@example.com, the next time the hacker accesses the site, it will think he is the user anotheruser and enable him to access that user’s data.