HTTP is a stateless protocol that does not inherently track the session state between a specific user and the web application. By default, the web application does not track the sequence of HTTP requests from a browser, verify any order of requests, or maintain a list of transitions (for example, adding a widget to a shopping cart).
Web applications use session tokens to uniquely identify a user. These session tokens store state information and are used to track transitions such as going from anonymous status to authenticated status.
The session tokens are in most cases kept inside cookies, but can be passed in the URL or inside hidden input fields. A third session management scheme uses form fields (this is rarely encountered).
Knowing the session token that uniquely identifies a user enables a workaround called session spoofing or session replay.