If a hacker gets access to a user's session ID, they can impersonate that user. Session fixation is one method an attacker can use to do this.