I need some clarity around how cookie-based sessions work. I'm building an app where I authenticate a user and upon successful authentication, I stick a GUID identifying his user into the session, which in turn gets persisted as a cookie. Now when a user logs in, whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person? Another scenario could be if I had physical access to a machine where the person was logged in, I could also steal the contents of the cookie and impersonate as the user.

Whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person?

SSL - the only way to stop that is to run your web site on HTTPS.

I had physical access to a machine where the person was logged in

Once you have physical access to a machine all your security methods are moot. You can do nothing about this.

I think you have two questions here. In regard to the second you should not be storing a session key in a cookie and have it stick around longer than the session, set the timeout on the cookie to expire quickly and invalidate the session on the server as soon as reasonable and the cookie becomes useless. If you are flowing important information over the wire use https.

read this: http://www.linuxforu.com/2009/01/server-side-sessions/

took a couple seconds of googling this article answers your questions about preventing someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and logging into your site as that person.