Session hijacking is the unauthorized takeover or misuse of a valid application session so an attacker can act as an authenticated user without repeating the normal login flow.
Session hijacking is the unauthorized takeover or misuse of a valid application session. In plain language, it means someone gets control of the state that proves a user is already signed in and then uses that trusted session as if they were the real user.
Session hijacking matters because authentication is only part of access control. If a valid session can be stolen, replayed, or reused improperly, an attacker may bypass the normal login challenge entirely.
It also matters because modern web and application workflows depend heavily on session tokens, cookies, and temporary identity state. Weak handling of that state can undermine otherwise strong login controls such as Multi-Factor Authentication.
Session hijacking appears in web application security review, API session design, browser security, secure coding, and incident investigation. Teams look for it when assessing Session Management, Cross-Site Scripting, Authentication, and Access Token handling.
It is especially relevant when applications store session state in cookies or bearer tokens and then fail to protect those values properly.
A user signs in to an internal portal, and the application issues a session cookie. If that cookie is exposed through a client-side flaw or poor transport protection, someone else may be able to reuse it and interact with the portal as the signed-in user until the session expires or is revoked.
Session hijacking is not the same as stealing a password. The core issue is misuse of an already valid session, not necessarily compromise of the original credentials.
It is also different from Broken Access Control. Broken access control is a broader authorization problem, while session hijacking focuses on the trust state tied to a live or recent login.