The Basic method of session stealing
The simplest way to steal a session is to go on the website that you want to steal the session from, and type the following in the address bar:
prompt('document.cookie value', document.cookie);
You will get a prompt with the contents of your document.cookie variable.
To actually use that data you would use:
document.cookie = prompt('New document.cookie value', '');
And type what you got from the prompt before into that prompt
How to protect for session stealing
One simple way to protect from session stealing would be to check the sessions internal IP and the users IP.
When you set the session:
// A bunch of code here
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// Loads of more code here
So on every page after that:
What this does is reset the session and kill the page load if the IP Address is incorrect.
This is not a fail safe method as many times a day your IP is reset (Unless you have a static IP)
But it does basically protect against session stealing.
Thanks For Reading!