I have read about session fixation and from what I understand it forces a user to use an attacker's session. Is this correct? Can you give me an example of how this could offend the user?
I don't usually like to post links to Wikipedia, but here's a link to a very good explanation on Wikipedia...
Here's the meat of it:
Alice has an account at the bank http://unsafe/. Unfortunately, Alice is not very security savvy.
Mallory is out to get Alice's money from the bank.
Alice has a reasonable level of trust in Mallory, and will visit links Mallory sends her.