Threat actors may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.