Session poisoning or Session Pollution is a term used to refer to security exploit when an invalidated input is assigned to session variables which then gets carried over to other pages opening the supposed to be secured pages to outside world.
It can also refer to a state when more than one application shares the same session variable which when modified without necessary validation causes a race condition.
There is a possibility for an attack or a session hijack when the external agent gets control over the session variable used by victim on the server. Both the agent and the victim needs to have access on the same server for such attacks to take place.
When the same scenario happens on the cookie variables, it is called cookie poisoning.
Precaution to avoid such hijacks are to validate each condition if a cookie or a session is shared or if values are assigned to session or cookies. In such cases, it is also advisable to use a secured transaction path to avoid such attacks.