Two notes about session hijacking methods:

Difference between stored and reflected XSS attack

Stored or persistent XSS attack – relies on user input stored on the server. Best example – a comment in a news site.
Reflected or non-persistent XSS attack – relies on user input sent in the HTTP query parameters. Best example – site search, showing the keyword after search
Play the XSS game: xss-game.appspot.com

Session fixation

In a nutshell, session fixation means that the attacker obtains a legitimate session ID from the server and then it makes the victim browser to use it. See example.
The counter-measures are quite simple:
– do not accept setting a session id via URL/POST parameters
– change session id after user login
– just use HTTPS and secure cookies, it’s 2017 and HTTPS adoption reached the tipping point