Session hijacking steals a valid session token — via XSS, network sniffing, or MITM — to impersonate an authenticated user without knowing their password.
Prevention: HTTPS everywhere (prevents sniffing), HttpOnly+Secure cookie flags, short session timeouts, re-authentication for sensitive actions, IP binding (partial — breaks legitimate roaming).