via ithemes.com => original post link
Session hijacking is a type of cyberattack that WordPress site owners need to know about. Also known as TCP session hijacking, session hijacking allows attackers to pretend to be a logged-in user on a website. The attacker takes over a user session by obtaining their session ID without the valid user’s knowledge or permission. After a user’s session ID has been accessed by the hacker, they can masquerade as the targeted user. The attacker will be able to do everything the authorized user can do when they’re logged into a site.
One of the worst things hackers can do with a hijacked session is gain access to the server without authentication. When an attacker hijacks a user’s session they don’t need to authenticate themselves as long as the session is active. The server thinks they are an authenticated user.
In other words, the hacker will enjoy the same access to the server or application as the user they’ve compromised. Since the user already authenticated their session before the attack happened, a successful hijacking lets an attacker bypass authentication.