Websites with user accounts typically implement an authentication mechanism to identify returning users. Post-authentication, a session will be established. The server and browser will exchange a session ID so the server knows which user the browser is representing with each HTTP request.
If a hacker gets access to a user's session ID, they can impersonate that user. Session fixation is one method an attacker can use to do this.