In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID).
Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
http://en.wikipedia.org/wiki/Session_fixation
Session poisoning (also referred to as "Session data pollution" and "Session modification") is to exploit insufficient input validation in server applications which copies user input into session variables.
The underlying vulnerability is a state management problem; shared state, race condition, ambiguity in use or plain unprotected modifications of state values.
Session poisoning have been demonstrated in server environments where different non-malicious applications (scripts) share the same session states but where usage differ, causing ambiguity and race conditions.
Session poisoning have been demonstrated in scenarios where attacker is able to introduce malicious scripts into the server environment, which is possible if attacker and victim shares a web hotel.
http://en.wikipedia.org/wiki/Session_poisoning
In computer science, session hijacking refers to the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).