Session hijacking attack is basically consist of exploitation of web session and stealing session tokens. Attackers can use a session sniffer and cross-site scripting attack. I'm not an attacker so I only knew a fraction of methods to do cracking a site.
Security Is Painful
The more security requirements we put in our applications, the more pain we get. Putting an SSL Session is one of the basic requirement to prevent Session Hijacking. There are many proven patterns and practices to put security in applications. However, no perfect security really exists in my opinion.