Lets say we're on a web forum together on site www.xyz.com and I'm allowed to post a URL to an image in my avatar, well instead of www.jimsite.com/myimage.jpg I make it www.jimsite.com/fake_image.php
so the html would output
If your URL string has the session ID passed in it like www.xyz.com?PHPSESSID=593584jgjdl59 and you view the page that has my image.. guess what I can write:
so it looks like it still outputs my image however I just emailed myself your URL string if it contains the PHPSESSID which is the default Session ID name PHP uses. So once I get that email I can copy/paste into my browser and guess what, I'm now you. I can get into your account and do whatever I want and it was pretty darn easy.
be warned.. and get that book!