Via XSS, Example:

First we find a XSS vuln at a comment section:

We can also see that there is no HTTPOnly flag or Security flags set. So we can steal cookies with javascript.

We then host our php script on our attacker site that steals the cookie when the user is directed to us:

Then we drop our payload into the xss vuln:

We now see our post has been saved:

Then if we check our server that is gathering cookies we should see ours was just stolen.

WiFi Wireshark: We can sniff a wifi network for pages like login.php and watch for cookies or passwords being sent. If we see a cookie in the response we can quickly switch out our cookie to hijack the session.

Via a compromised server or file leak: Here we have RCE and can read out the session cookies at the /var/lib/php5 path and hijack sessions this way.

Broken Authentication: Here when we click login, a cookie is automatically set before we ever enter our credentials. Then when we enter our credentials the cookie becomes active on the server.

This allows us start the login process, then send the link to someone who clicks it, then logs in. The link will be legitimate and wont get flagged but we already know the session cookie value and we can hijack the session once the user opens it.