Broken Session Management is a type of authentication vulnerability that emerges when session persistence is not implemented correctly. Broken Session Management is part and parcel of the Broken Authentication category of web application security risk, and as with the other listings on the OWASP Top 10, Broken Session Management is neither a new, nor overly complex method of attack.
Web sessions enable persistence between consecutive HTTP requests and responses, ensuring every request the application receives from the same user is related. This, in turn, enables subsequent requests, security access control provision, private data access, and even pre and post authentication. Once established, the Session ID is effectively the highest level authentication used by the application, and a very attractive target to any interested malicious actor.
https://knowledge-base.secureflag.com/v ... ility.html