As Thilo said, but I’ll explain a little further 🙂

A webserver is stateless! This is really the problem of the authentication-case. You can’t just log in, and then say ‘from now in, this user is logged in’ – you need some way to identify which user it is that’s requesting a new site this time.

A common way of doing this is by implementing sessions. If you packet-sniff your network traffic while logging into, and then browsing a site you’ll commonly notice something like this:

Logging in: You will transmit your username and password to the server. Completely unencrypted! (SSL / HTTPS will encrypt this request for you to avoid man-in-the-middle attacks)

Response: You will receive a randomly generated string of a lot of weird characters. These will typically be stored in a cookie.

Request of some site only you should have access to: You will transmit the randomly generated string to the server. The server will look this string up, and see that it’s associated with your session. This allows the server to identify you, and grant you access to your sites.

.. Now, HTTP in itself is not secure. This means that your password and your session-cookie (the randomly generated string) will be transmitted completely un-encrypted. If someone has access to your traffic (through trojans, router hijacking, whatever), he will be able to see your username / password when you log in, if you’re not using HTTPS. This will grant him access to your site untill you change your password (unless he changes it first 😛 ). In the rest of the requests he will be able to get your session cookie, which means he could steal your identity for the rest of that cookie lifecycle (’till you log out, or the session expires on the server).

If you want to feel secure, use HTTPS. Realistically though, it’s a lot easier to social engineer a keylogger into your computer than it is to read all your traffic 🙂

(Or as others have pointed out, use cross-site-scripting to read your session cookie)