Attack stealing a valid session token to impersonate an authenticated user. Prevented by secure cookies, short session timeouts, and token binding.