Session ID hijacking can be a problem with PHP Websites. The PHP session tracking component uses a unique ID for each user’s session, but if this ID is known to another user, that person can hijack the user’s session and see information that should be confidential. Session ID hijacking cannot completely be prevented; you should know the risks so you can mitigate them.
A user who creates a new session by logging in should be assigned a fresh session ID using the session_regenerate_id() function. A hijacking user will try to set his session ID prior to login; this can be prevented if you regenerate the ID at login.
** Source : sitepoint.com