Comment 23 for bug 44062

(In reply to comment #19)
> What I don't see is how the session ID saved by http://example.ltd.uk/ to the
> "sid" cookie can be read by the attacker. Hasn't the user to visit the
attackers
> page again while the "sid" cookie contains the session ID and it's still
valid?
The attacker doesn't have to read the cookie, because he wrote it, so he
already knows what's in it.

You might want to read this for a more thorough explanation:

http://shiflett.org/articles/security-corner-feb2004